Managing signal detection rules
editManaging signal detection rules
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
Rules run periodically and search the specified indices for documents that meet their criteria.
After you activate a rule, periodically check the rule is running as expected. When a rule fails to run, the SIEM app tries to rerun it at its next scheduled run time and an error is displayed in the Failure History table on the Rule details page (SIEM → Detections → Manage signal detection rules → <rule name>).
If you see a
gaps of <x> minutes, and could be missing signals within that time
error
message, see Troubleshoot missing signals.
On the Rules page, you can:
Load prebuilt Elastic rules
editTo load the SIEM app’s prebuilt rules, click Load Elastic prebuilt rules on the Signal detection rules page (SIEM → Detections → Manage signal detection rules).
If you delete any of the prebuilt rules, a button appears that enables reloading all the deleted prebuilt rules.
By default, prebuilt rules are not activated. If you want to modify a prebuilt rule, you must first duplicate it and then make your changes to the duplicated rule. Filter out uncommon application signals provides a detailed example of duplicating and modifying a rule.
All Elastic prebuilt rules are tagged with the word Elastic
.
Select and duplicate all prebuilt rules
edit- Select the Elastic rules tab.
- Scroll to the bottom of the page.
-
Click the
Rows per page
menu, and then select 200 rows. - When the page reloads, select all the rules.
- Click Bulk actions → Duplicate selected.
- Select the Custom rules tab.
You can then modify the duplicated rules and, if required, delete the prebuilt ones.
Create a new rule
edit- Go to SIEM → Detections → Manage signal detection rules.
-
Click Create new rule.
The Create new rule page is displayed.
- Define which Elasticsearch indices the rule analyzes for signals.
-
Use the filter and query fields to create the criteria used for detecting signals.
You can use Kibana saved queries (save icon) and queries from saved timelines (
Import query from saved timeline
) as rule conditions.For example, the following rule detects when the
vssadmin delete shadows
Windows command is executed:-
Index patterns:
winlogbeat-*
Winlogbeat ships Windows event logs to the SIEM app.
-
Custom query:
event.action:"Process Create (rule: ProcessCreate)" and process.name:"vssadmin.exe" and process.args:("delete" and "shadows")
Searches the
winlogbeat-*
indices forvssadmin.exe
executions with thedelete
andshadow
arguments, which are used to delete a volume’s shadow copies.This example is based on the Volume Shadow Copy Deletion via VssAdmin prebuilt rule.
-
-
Click Continue.
The About rule pane is displayed.
-
Fill in the following fields:
- Name: The rule’s name.
- Description: A description of what the rule does.
-
Severity: Select the severity levels of signals created by the rule:
-
Low
: Signals that are of interest but generally not considered to be security incidents. Sometimes, a combination of low severity events can indicate suspicious activity. -
Medium
: Signals that require investigation. -
High
: Signals that require an immediate investigation. -
Critical
: Signals that indicate it is highly likely a security incident has occurred.
-
-
Risk score: A numerical value between 0 and 100 that correlates with the Severity level. General guidelines are:
-
0
-21
represents low severity. -
22
-47
represents medium severity. -
48
-73
represents high severity. -
74
-100
represents critical severity.
-
-
For additional options, click Advanced settings and fill in any of these fields:
-
Timeline template (optional): Select a timeline template used when you send a signal created by the rule to the timeline.
Before you create rules, create and save relevant timelines so they can be selected here. When signals generated by the rule are investigated in Timeline, some query field values are replaced with their corresponding signal field values.
- Reference URLs (optional): References to information that is relevant to the rule. For example, links to relevant background information.
- False positives (optional): List of common scenarios that may produce false-positive signals.
- MITRE ATT&CKTM (optional): Relevant MITRE framework tactics and techniques.
- Tags (optional): Words and phrases used to categorize, filter, and search the rule.
-
-
Click Continue.
The Schedule rule pane is displayed.
- Select how often the rule runs.
-
Optionally, add
Additional look-back time
to the rule. When defined, the rule searches indices with the additional time.For example, if you set a rule to run every 5 minutes with an additional look-back time of 1 minute, the rule runs every 5 minutes but analyses the documents added to indices during the last 6 minutes.
It is recommended to set the
Additional look-back time
to at least 1 minute. This ensures there are no missing signals when a rule does not run exactly at its scheduled time.The SIEM app performs deduplication. Duplicate signals discovered during the
Additional look-back time
are not created. -
Save the rule with or without activation.
When you activate a rule, it is queued and its schedule is determined by its initial run time. For example, if you activate a rule that runs every 5 minutes at 14:03 but it does not run until 14:04, it will run again at 14:09.
Modify existing rules
editYou can clone, edit, activate, deactivate, and delete rules:
- Go to SIEM → Detections → Manage signal detection rules.
-
Do one of the following:
- Click the actions icon (three dots) and then select the required action.
-
In the Rule column, select all the rules you want to act on, and then the
required action from the
Batch actions
menu.
- To activate or deactivate a rule, click the Activate toggle button.
Import and export rules
edit- Go to SIEM → Detections → Manage signal detection rules.
-
To import rules:
- Click Import rule.
-
Drag-and-drop files containing the signal detection rules.
Imported rules must be in a
ndjson
file.
-
To export rules:
- In the All rules table, select the rules you want to export.
-
Select Batch actions → Export selected.
You cannot export prebuilt rules.
Troubleshoot missing signals
editWhen a rule fails to run close to its scheduled time, some signals may be missing. There are a number of steps you can perform to try and resolve this issue.
If you see gaps of <x> minutes
error messages for a small number of
rules, you can increase those rules' Additional look-back time
(Signal detection rules page → the rule’s actions icon →
Edit rule settings → Schedule → Additional look-back time).
If you see gaps of <x> minutes
for a lot of rules:
- If you restarted Kibana when many rules were activated, try deactivating them and then reactivating them in small batches at staggered intervals. This ensures Kibana does not attempt to run all the rules at the same time.
- Consider adding another Kibana instance to your environment.