brokensound77

Elastic schemas

The full schemas for elastic endpoint on Windows, MacOS, and Linux.

Also includes schemas for all integrations used by Elastic detection rules, all of which are streamed via the elastic agent.

These are all already open sourced within the detection rules repo, where they are used for unit test validation (endpoint schemas will be there soon). We even have schemas for the beats modules (similar to integrations, but on beats).

brokensound77

Detecting RMM

The most difficult challenge with RMM detection is contextual awareness around usage to determine if it is valid or malicious.

• if the software is not used in the envrionment
  • could it be legitimate by a random empoyee?
  • is it an attacker BYOL
  • even so, all occurrences could probably be considered suspicious
• if it is used in the environment
  • is every use of it legitimate? Probably not
• this also creates significant living off the land (LOL) opportunity

brokensound77

Event category and field distribution over ATT&CK techniques

Analysis of Elastic detection-rules, showing event types and field distribution per technique. The full results are represented in the file below (fields_by_technique.json)

The structure is:

"library": {                                       # event.category (generic if event.category not defined)
      "fields": {                                  # field distribution for that event.category within that technique

brokensound77

{
  "@timestamp": "date",
  "Effective_process.entity_id": "keyword",
  "Effective_process.executable": "keyword",
  "Effective_process.name": "keyword",
  "Effective_process.pid": "long",
  "Endpoint.capabilities": "keyword",
  "Endpoint.configuration": "object",
  "Endpoint.configuration.isolation": "boolean",
  "Endpoint.metrics": "object",