Increasing signal to noise ratio for Mitel systems

If you’re responsible for defending Mitel systems, specifically the Mitel MiCollab suite running on Mitel’s “Mitel Standard Linux” you have probably noticed by now that the systems are very noisy from defenders point of view, for example:

Yes this is actually a legitimate process tree on a Mitel Micollab system — I was investigating an alert that detects suspicious child processes spawned by Java and this is what I found.

With process parent-sibling relationships as long as these being the normal (the full tree is about 20 processes long) it is hard to detect or alert on actual malicious activity.

There are some ways to improve this — here are some exceptions that I have added to our detection rules (based on default Elastic ruleset) :

For the Suspicious Java child process rule excepting subprocesses that have Mitel specific references in the program artifacts

For the System Logfile Deletion and Webserver Access Logs Deleted rules excepting the Mitel binaries that are the culprit. Yes Mitel utilities actually clear the logs — how helpful!

With these exceptions you should get less noise and more signal in your detection pipeline!

I haven’t shared detail for obvious reasons but if you are also responsible for defending these systems reach out to me directly and I can share the actual exemptions with you.