Lateral movement detection package

[sodhikirti07]

What does this PR do?

This PR adds Lateral movement detection assets to the integration packages list.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues and docs

elastic/security-ml#167
elastic/security-team#2933
https://docs.google.com/document/d/1aGB55YGVvIhMaa52uLr2CErTiifsRfb7gp2EZAJ1efQ/edit#heading=h.kgcaafk0hh1h
https://docs.google.com/document/d/14qliB7-hevPVNKX5SM1z6_gKhzVrbgb6G8wHZvMBNXs/edit

Screenshots

[sodhikirti07]

Tested the package and following are some screenshots for the assets working as expected:

• Package added as an integration

• ML jobs installed and started successfully

• Detection rules are successfully imported

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-12-20T19:51:17.951+0000

• Duration: 13 min 46 sec

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[sodhikirti07]

I have kept the version of release as experimental based on the discussion I had with Jake yesterday. The idea is to release the package in technical review first to investigate if the rules create a lot of noise. This can be done by tracking the alerts telemetry. Please let me know your thoughts.

[susan-shu-c]

I think we don't need this placeholder Elastic logo screenshot anymore since we have any actual screenshot?

[sodhikirti07]

Yes, thanks for pointing it out. I meant to delete it earlier.

[cla-checker-service]

💚 CLA has been signed

[szeitlin]

suggested change - someone who knows more about product stuff should also review it and make sure it's ok to use direct instructions, rather than this very soft optional language that was there before.

[sodhikirti07]

@szeitlin Can we ask Sourin about this when he is back? Should we wait for his feedback?

[szeitlin]

@szeitlin Can we ask Sourin about this when he is back? Should we wait for his feedback?

I don't know that we want to wait that long. Maybe @approksiu or @MikePaquette can give us their expert opinion so we can get unblocked sooner?

[ajosh0504]

@sodhikirti07 Overall, looks great! 🥇

Left some suggestions. Could you also paste screenshots:

• To show that the ML job module shows up as expected based on the query in the module json
• To show that the ML module is installed successfully without errors
• To show that runtime mappings are being added and working as expected
• To show that rules are enabled without errors

[MikePaquette]

suggested change - someone who knows more about product stuff should also review it and make sure it's ok to use direct instructions, rather than this very soft optional language that was there before.

I prefer the more direct language, but let's get the opinion of our tech documentation team, since they are experts in ensuring we use consistent style and language.

@jmikell821 can you or a member of your team review/edit the instructions mentioned above #4833 (review) ? Thanks in advance.

[sodhikirti07]

Left some suggestions. Could you also paste screenshots:

To show that the ML job module shows up as expected based on the query in the module json
To show that the ML module is installed successfully without errors
To show that runtime mappings are being added and working as expected
To show that rules are enabled without errors

@ajosh0504 I think I've already covered the 1,2,4 screenshots here. Will do the screenshot of runtime mappings. Please let me know if you're implying something else here.

[sodhikirti07]

• ML module and jobs working properly:

• Detection rules started without any warnings:

• Mapping for file_directory working as expected in the datafeed

[sodhikirti07]

@ajosh0504 made changes as suggested. Please have a look.

[ajosh0504]

Few more minor nits. Sorry! 😬

[approksiu]

@szeitlin Can we ask Sourin about this when he is back? Should we wait for his feedback?

I don't know that we want to wait that long. Maybe @approksiu or @MikePaquette can give us their expert opinion so we can get unblocked sooner?

I like the strong language - I see that our users look up to us for recommendations how should they set things up. Let's also see what the docs team thinks.

[ajosh0504]

Awesome! 🚢

[szeitlin]

@sodhikirti07 do you know who/where to ask re: having the docs team review this?

[benironside]

Overall the README looks good. Made a couple of minor suggestions. No problems with the imperative language, that's standard for instructions.

[sodhikirti07]

Shipping this package as experimental for 8.6. Below are a couple of things to do before moving it to ga in 8.7:

• Add dashboard in the package spec
• Attach a blog-post for lateral movement

[elasticmachine]

Package lmd - 0.0.1 containing this change is available at https://epr.elastic.co/search?package=lmd

[CyberTaoFlow]

seems like zeek and/or suricata SMB traffic could be useful for providing the network viewpoint independent of agent telemetry.
One point to consider is there will be a need to perform correlation with kerberos or ntlm logs from these same tools to obtain the user information used as an influencing attribute in the current jobs.