From 0f05d7ae69a4440d4453ce3fced0a2e78b581bfc Mon Sep 17 00:00:00 2001 From: Kirti Kirti Date: Wed, 19 Feb 2025 15:14:01 -0500 Subject: [PATCH 1/4] Add detection-rules for privileged access detection integration --- ...unt_privileged_process_events_by_user.toml | 63 ++++++++++++++++++ ..._process_command_line_entropy_by_user.toml | 63 ++++++++++++++++++ ...l_linux_rare_process_executed_by_user.toml | 62 ++++++++++++++++++ ..._high_sum_concurrent_sessions_by_user.toml | 63 ++++++++++++++++++ ...access_ml_okta_rare_host_name_by_user.toml | 62 ++++++++++++++++++ ...cess_ml_okta_rare_region_name_by_user.toml | 62 ++++++++++++++++++ ...access_ml_okta_rare_source_ip_by_user.toml | 62 ++++++++++++++++++ ..._group_application_assignment_changes.toml | 62 ++++++++++++++++++ ...okta_spike_in_group_lifecycle_changes.toml | 62 ++++++++++++++++++ ...kta_spike_in_group_membership_changes.toml | 62 ++++++++++++++++++ ...okta_spike_in_group_privilege_changes.toml | 62 ++++++++++++++++++ ..._in_user_lifecycle_management_changes.toml | 62 ++++++++++++++++++ ...ws_high_count_group_management_events.toml | 64 +++++++++++++++++++ ...ndows_high_count_special_logon_events.toml | 63 ++++++++++++++++++ ...gh_count_special_privilege_use_events.toml | 63 ++++++++++++++++++ ..._count_user_account_management_events.toml | 64 +++++++++++++++++++ ...access_ml_windows_rare_device_by_user.toml | 63 ++++++++++++++++++ ...ss_ml_windows_rare_group_name_by_user.toml | 64 +++++++++++++++++++ ...ndows_rare_privilege_assigned_to_user.toml | 63 ++++++++++++++++++ ...s_ml_windows_rare_region_name_by_user.toml | 63 ++++++++++++++++++ ...ess_ml_windows_rare_source_ip_by_user.toml | 63 ++++++++++++++++++ 21 files changed, 1317 insertions(+) create mode 100644 rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml create mode 100644 rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml create mode 100644 rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml create mode 100644 rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml create mode 100644 rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml create mode 100644 rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml create mode 100644 rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml create mode 100644 rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml create mode 100644 rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml create mode 100644 rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml create mode 100644 rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml create mode 100644 rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml create mode 100644 rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml create mode 100644 rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml create mode 100644 rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml create mode 100644 rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml create mode 100644 rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml create mode 100644 rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml create mode 100644 rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml create mode 100644 rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml create mode 100644 rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml new file mode 100644 index 00000000000..811be97abc8 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "sysmon_linux"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified an increase in the execution of privileged commands by a user, indicating potential privileged access activity. +This could be a sign that the user is attempting to gain unauthorized access to sensitive or restricted parts of the system. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_linux_high_count_privileged_process_events_by_user" +name = "Spike in Privileged Command Execution by a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "bd1eadf6-3ac6-4e66-91aa-4a1e6711915f" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml new file mode 100644 index 00000000000..5d5ccd293ea --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "sysmon_linux"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified an unusually high median command line entropy for privileged commands executed by a user, suggesting possible privileged access activity through command lines. +High entropy often indicates that the commands may be obfuscated or deliberately complex, which can be a sign of suspicious or unauthorized use of privileged access. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_linux_high_median_process_command_line_entropy_by_user" +name = "High Command Line Entropy Detected for Privileged Commands" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "0cbbb5e0-f93a-47fe-ab72-8213366c38f1" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml new file mode 100644 index 00000000000..cbda63b1624 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "sysmon_linux"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected an unusual process run for privileged commands by a user, indicating potential privileged access activity. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_linux_rare_process_executed_by_user" +name = "Unusual Process Detected for Privileged Commands by a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "5eac16ab-6d4f-427b-9715-f33e1b745fc7" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1055" +name = "Process Injection" +reference = "https://attack.mitre.org/techniques/T1055/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml new file mode 100644 index 00000000000..727e3a7b811 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected an unusually high number of active concurrent sessions initiated by a user, indicating potential privileged access activity. +A sudden surge in concurrent active sessions by a user may indicate an attempt to abuse valid credentials for privilege escalation or maintain persistence. +Adversaries might be leveraging multiple sessions to execute privileged operations, evade detection, or perform unauthorized actions across different systems. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_high_sum_concurrent_sessions_by_user" +name = "Unusual Spike in Concurrent Active Sessions by a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "a300dea6-e228-40e1-9123-a339e207378b" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml new file mode 100644 index 00000000000..1f512f104cf --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user performing privileged operations in Okta from an uncommon device, indicating potential privileged access activity. +This could signal a compromised account, an attacker using stolen credentials, or an insider threat leveraging an unauthorized device to escalate privileges. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_rare_host_name_by_user" +name = "Unusual Host Name for Okta Privileged Operations Detected" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml new file mode 100644 index 00000000000..043140a56d7 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user performing privileged operations in Okta from an uncommon geographical location, indicating potential privileged access activity. +This could suggest a compromised account, unauthorized access, or an attacker using stolen credentials to escalate privileges. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_rare_region_name_by_user" +name = "Unusual Region Name for Okta Privileged Operations Detected" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml new file mode 100644 index 00000000000..def7dadee3e --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user performing privileged operations in Okta from an uncommon source IP, indicating potential privileged access activity. +This could suggest an account compromise, misuse of administrative privileges, or an attacker leveraging a new network location to escalate privileges. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_rare_source_ip_by_user" +name = "Unusual Source IP for Okta Privileged Operations Detected" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "fbb10f1e-77cb-42f9-994e-5da17fc3fc15" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml new file mode 100644 index 00000000000..5fcae75b4a0 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified an unusual spike in Okta group application assignment change events, indicating potential privileged access activity. +Threat actors might be assigning applications to groups to escalate access, maintain persistence, or facilitate lateral movement within an organization’s environment. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_spike_in_group_application_assignment_changes" +name = "Spike in Group Application Assignment Change Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "3278313c-d6cd-4d49-aa24-644e1da6623c" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml new file mode 100644 index 00000000000..6c48ec59849 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified an unusual spike in Okta group lifecycle change events, indicating potential privileged access activity. +Adversaries may be altering group structures to escalate privileges, maintain persistence, or facilitate lateral movement within an organization’s identity management system. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_spike_in_group_lifecycle_changes" +name = "Spike in Group Lifecycle Change Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "aa28f01d-bc93-4c8f-bc01-6f67f2a0a833" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml new file mode 100644 index 00000000000..e7064444a72 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified an unusual spike in Okta group membership events, indicating potential privileged access activity. +Attackers or malicious insiders might be adding accounts to privileged groups to escalate their access, potentially leading to unauthorized actions or data breaches. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_spike_in_group_membership_changes" +name = "Spike in Group Membership Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "138520d2-11ff-4288-a80e-a45b36dca4b1" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml new file mode 100644 index 00000000000..0e43163d58e --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified an unusual spike in Okta group privilege change events, indicating potential privileged access activity. +Attackers might be elevating privileges by adding themselves or compromised accounts to high-privilege groups, enabling further access or persistence. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_spike_in_group_privilege_changes" +name = "Spike in Group Privilege Change Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "02b4420d-eda2-4529-9e46-4a60eccb7e2d" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml new file mode 100644 index 00000000000..478d1a976eb --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad","okta"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified an unusual spike in Okta user lifecycle management change events, indicating potential privileged access activity. +Threat actors may manipulate user accounts to gain higher access rights or persist within the environment. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_okta_spike_in_user_lifecycle_management_changes" +name = "Spike in User Lifecycle Management Change Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "178770e0-5c20-4246-b430-e216a2888b23" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml new file mode 100644 index 00000000000..70d50c80f40 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml @@ -0,0 +1,64 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a spike in group management events for a user, indicating potential privileged access activity. +The machine learning has flagged an abnormal rise in group management actions (such as adding or removing users from privileged groups), +which could point to an attempt to escalate privileges or unauthorized modifications to group memberships. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_high_count_group_management_events" +name = "Spike in Group Management Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "751b0329-7295-4682-b9c7-4473b99add69" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml new file mode 100644 index 00000000000..f7f5ad9dc46 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected a surge in special logon events for a user, indicating potential privileged access activity. +A sudden spike in these events could suggest an attacker or malicious insider gaining elevated access, possibly for lateral movement or privilege escalation. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_high_count_special_logon_events" +name = "Spike in Special Logon Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "097ef0b8-fb21-4e45-ad89-d81666349c6a" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml new file mode 100644 index 00000000000..76a5c0d89ce --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected an unusual increase in special privilege usage events, such as privileged operations and service calls, for a user, suggesting potential unauthorized privileged access. +A sudden spike in these events may indicate an attempt to escalate privileges, execute unauthorized tasks, or maintain persistence within a system. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_high_count_special_privilege_use_events" +name = "Spike in Special Privilege Use Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "6fb2280a-d91a-4e64-a97e-1332284d9391" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml new file mode 100644 index 00000000000..3e96515faa1 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml @@ -0,0 +1,64 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a spike in user account management events for a user, indicating potential privileged access activity. +This indicates an unusual increase in actions related to managing user accounts (such as creating, modifying, or deleting accounts), +which could be a sign of an attempt to escalate privileges or unauthorized activity involving account management. +""" +from = "now-3h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_high_count_user_account_management_events" +name = "Spike in User Account Management Events" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "37cca4d4-92ab-4a33-a4f8-44a7a380ccda" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml new file mode 100644 index 00000000000..e06792fb3b5 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user performing privileged operations in Windows from an uncommon device, indicating potential privileged access activity. +This could signal a compromised account, an attacker using stolen credentials, or an insider threat leveraging an unauthorized device to escalate privileges. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_rare_host_name_by_user" +name = "Unusual Host Name for Windows Privileged Operations Detected" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "2bca4fcd-5228-4472-9071-148903a31057" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml new file mode 100644 index 00000000000..97ef15e0c2f --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml @@ -0,0 +1,64 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected a user accessing an uncommon group name for privileged operations, indicating potential privileged access activity. +This indicates that a user has accessed a group name that is unusual for their typical operations, particularly for actions requiring elevated privileges. +This could point to an attempt to manipulate group memberships or escalate privileges on a system. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_rare_group_name_by_user" +name = "Unusual Group Name Accessed by a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml new file mode 100644 index 00000000000..89862a3ae70 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user leveraging an uncommon privilege type for privileged operations, indicating potential privileged access activity. +This indicates that a user is performing operations requiring elevated privileges but is using a privilege type that is not typically seen in their baseline logs. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_rare_privilege_assigned_to_user" +name = "Unusual Privilege Type assigned to a User" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "27569131-560e-441e-b556-0b9180af3332" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml new file mode 100644 index 00000000000..aaca91e0d72 --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user performing privileged operations in Windows from an uncommon geographical location, indicating potential privileged access activity. +This could suggest a compromised account, unauthorized access, or an attacker using stolen credentials to escalate privileges. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_rare_region_name_by_user" +name = "Unusual Region Name for Windows Privileged Operations Detected" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "d2703b82-f92c-4489-a4a7-62aa29a62542" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml new file mode 100644 index 00000000000..f56265267fc --- /dev/null +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml @@ -0,0 +1,63 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["pad", "endpoint", "windows"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has identified a user performing privileged operations in Windows from an uncommon source IP, indicating potential privileged access activity. +This could suggest an account compromise, misuse of administrative privileges, or an attacker leveraging a new network location to escalate privileges. +""" +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "pad_windows_rare_source_ip_by_user" +name = "Unusual Source IP for Windows Privileged Operations Detected" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad" +] +risk_score = 21 +rule_id = "08be5599-3719-4bbd-8cbc-7e9cff556881" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation" +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Exfiltration" +reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file From ab62af10d7204fbff2ab85015721a4f10f7c7632 Mon Sep 17 00:00:00 2001 From: Kirti Kirti Date: Wed, 19 Feb 2025 15:14:39 -0500 Subject: [PATCH 2/4] Add detection-rules for security host module --- .../ml_high_count_events_for_a_host_name.toml | 58 +++++++++++++++++++ .../ml_low_count_events_for_a_host_name.toml | 58 +++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 rules/ml/ml_high_count_events_for_a_host_name.toml create mode 100644 rules/ml/ml_low_count_events_for_a_host_name.toml diff --git a/rules/ml/ml_high_count_events_for_a_host_name.toml b/rules/ml/ml_high_count_events_for_a_host_name.toml new file mode 100644 index 00000000000..87463d84727 --- /dev/null +++ b/rules/ml/ml_high_count_events_for_a_host_name.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["endpoint"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job detected a sudden spike in host based traffic. This can be due to a range of security issues, such as a compromised system, DDoS attacks, +malware infections, privilege escalation, or data exfiltration. +""" +false_positives = [ + """ + System updates, scheduled backups, or misconfigured services may trigger this alert. + """, +] +from = "now-1h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "high_count_events_for_a_host_name" +name = "Spike in host-based traffic" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "fe8d6507-b543-4bbc-849f-dc0da6db29f6" +severity = "low" +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] +type = "machine_learning" \ No newline at end of file diff --git a/rules/ml/ml_low_count_events_for_a_host_name.toml b/rules/ml/ml_low_count_events_for_a_host_name.toml new file mode 100644 index 00000000000..dd6e3dae098 --- /dev/null +++ b/rules/ml/ml_low_count_events_for_a_host_name.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2025/02/18" +integration = ["endpoint"] +maturity = "production" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job detected a sudden drop in host based traffic. This can be due to a range of security issues, such as a compromised system, +a failed service, or a network misconfiguration. +""" +false_positives = [ + """ + Legitimate causes such as system maintenance, server shutdowns, or temporary network outages may trigger this alert. + """, +] +from = "now-45m" +interval = "5m" +license = "Elastic License v2" +machine_learning_job_id = "low_count_events_for_a_host_name" +name = "Decline in host-based traffic" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: +- Elastic Defend + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Elastic Defend Integration Setup +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. + +#### Prerequisite Requirements: +- Fleet is required for Elastic Defend. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). + +#### The following steps should be executed in order to add the Elastic Defend integration to your system: +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". +- Configure the integration name and optionally add a description. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". +- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. +For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. +For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18" +severity = "low" +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] +type = "machine_learning" \ No newline at end of file From 0c182f257987ab5e86b0e0cff738a8e5112ea981 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Garz=C3=B3n?= Date: Tue, 25 Feb 2025 15:28:57 -0500 Subject: [PATCH 3/4] Issue #661 - Checking PAD job descriptions, tactics and techniques --- ...unt_privileged_process_events_by_user.toml | 13 ++++++------- ..._process_command_line_entropy_by_user.toml | 9 ++++----- ...l_linux_rare_process_executed_by_user.toml | 9 ++++----- ..._high_sum_concurrent_sessions_by_user.toml | 8 ++++++-- ...access_ml_okta_rare_host_name_by_user.toml | 3 +-- ...cess_ml_okta_rare_region_name_by_user.toml | 3 +-- ...access_ml_okta_rare_source_ip_by_user.toml | 3 +-- ..._group_application_assignment_changes.toml | 11 ++++++++++- ...okta_spike_in_group_lifecycle_changes.toml | 12 ++++++++---- ...kta_spike_in_group_membership_changes.toml | 12 ++++++++---- ...okta_spike_in_group_privilege_changes.toml | 11 ++++++++++- ..._in_user_lifecycle_management_changes.toml | 6 +++++- ...ws_high_count_group_management_events.toml | 6 +++++- ...ndows_high_count_special_logon_events.toml | 8 ++++++-- ...gh_count_special_privilege_use_events.toml | 8 ++++++-- ..._count_user_account_management_events.toml | 8 ++++++-- ...access_ml_windows_rare_device_by_user.toml | 3 +-- ...ss_ml_windows_rare_group_name_by_user.toml | 19 +++++++++++++++++-- ...ndows_rare_privilege_assigned_to_user.toml | 8 ++++++-- ...s_ml_windows_rare_region_name_by_user.toml | 3 +-- ...ess_ml_windows_rare_source_ip_by_user.toml | 3 +-- 21 files changed, 113 insertions(+), 53 deletions(-) diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml index 811be97abc8..552abb705b2 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml @@ -7,8 +7,8 @@ maturity = "production" anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified an increase in the execution of privileged commands by a user, indicating potential privileged access activity. -This could be a sign that the user is attempting to gain unauthorized access to sensitive or restricted parts of the system. +A machine learning job has detected an increase in the execution of privileged commands by a user, suggesting potential privileged access activity. +This may indicate an attempt by the user to gain unauthorized access to sensitive or restricted parts of the system. """ from = "now-3h" interval = "15m" @@ -52,12 +52,11 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1068" -name = "Exploitation for Privilege Escalation" -reference = "https://attack.mitre.org/techniques/T1068/" - +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml index 5d5ccd293ea..b8c1bcb445e 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml @@ -52,12 +52,11 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml index cbda63b1624..40103622370 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml @@ -51,12 +51,11 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1055" -name = "Process Injection" -reference = "https://attack.mitre.org/techniques/T1055/" - +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml index 727e3a7b811..8c5c356bc94 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml @@ -51,13 +51,17 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml index 1f512f104cf..8bd10440e7f 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml @@ -55,8 +55,7 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml index 043140a56d7..2ccad4ed284 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml @@ -55,8 +55,7 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml index def7dadee3e..e44eeddfdc6 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml @@ -55,8 +55,7 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml index 5fcae75b4a0..e5bc2a1121b 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml @@ -55,8 +55,17 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml index 6c48ec59849..97668573cf3 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml @@ -51,12 +51,16 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml index e7064444a72..415a7333a26 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml @@ -51,12 +51,16 @@ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml index 0e43163d58e..7af2d7686a7 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml @@ -55,8 +55,17 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml index 478d1a976eb..a96c189dfab 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml @@ -55,8 +55,12 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml index 70d50c80f40..2d7763fdd21 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml @@ -57,8 +57,12 @@ id = "T1098" name = "Account Manipulation" reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml index f7f5ad9dc46..b6ce4973b68 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml @@ -51,13 +51,17 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml index 76a5c0d89ce..abc7ff98c69 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml @@ -51,13 +51,17 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml index 3e96515faa1..fcbc922626b 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml @@ -52,13 +52,17 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml index e06792fb3b5..b7014a84b6f 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml @@ -56,8 +56,7 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml index 97ef15e0c2f..6592c2f521d 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml @@ -52,13 +52,28 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml index 89862a3ae70..a5e52b0732f 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml @@ -51,13 +51,17 @@ tags = [ type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml index aaca91e0d72..ab2d7639c1a 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml @@ -56,8 +56,7 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml index f56265267fc..ed9d6dd2993 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml @@ -56,8 +56,7 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" - [rule.threat.tactic] id = "TA0004" -name = "Exfiltration" +name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file From e948fe45fd946360f4eaad43ed67150df5bf8355 Mon Sep 17 00:00:00 2001 From: Kirti Kirti Date: Tue, 4 Mar 2025 14:29:35 -0500 Subject: [PATCH 4/4] Remove security host traffic rules from this branch --- .../ml_high_count_events_for_a_host_name.toml | 58 ------------------- .../ml_low_count_events_for_a_host_name.toml | 58 ------------------- 2 files changed, 116 deletions(-) delete mode 100644 rules/ml/ml_high_count_events_for_a_host_name.toml delete mode 100644 rules/ml/ml_low_count_events_for_a_host_name.toml diff --git a/rules/ml/ml_high_count_events_for_a_host_name.toml b/rules/ml/ml_high_count_events_for_a_host_name.toml deleted file mode 100644 index 87463d84727..00000000000 --- a/rules/ml/ml_high_count_events_for_a_host_name.toml +++ /dev/null @@ -1,58 +0,0 @@ -[metadata] -creation_date = "2025/02/18" -integration = ["endpoint"] -maturity = "production" - -[rule] -anomaly_threshold = 75 -author = ["Elastic"] -description = """ -A machine learning job detected a sudden spike in host based traffic. This can be due to a range of security issues, such as a compromised system, DDoS attacks, -malware infections, privilege escalation, or data exfiltration. -""" -false_positives = [ - """ - System updates, scheduled backups, or misconfigured services may trigger this alert. - """, -] -from = "now-1h" -interval = "15m" -license = "Elastic License v2" -machine_learning_job_id = "high_count_events_for_a_host_name" -name = "Spike in host-based traffic" -setup = """## Setup - -This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: -- Elastic Defend - -### Anomaly Detection Setup - -Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). - -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). - -#### The following steps should be executed in order to add the Elastic Defend integration to your system: -- Go to the Kibana home page and click "Add integrations". -- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. -- Click "Add Elastic Defend". -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). -- Click "Save and Continue". -- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -""" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "fe8d6507-b543-4bbc-849f-dc0da6db29f6" -severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] -type = "machine_learning" \ No newline at end of file diff --git a/rules/ml/ml_low_count_events_for_a_host_name.toml b/rules/ml/ml_low_count_events_for_a_host_name.toml deleted file mode 100644 index dd6e3dae098..00000000000 --- a/rules/ml/ml_low_count_events_for_a_host_name.toml +++ /dev/null @@ -1,58 +0,0 @@ -[metadata] -creation_date = "2025/02/18" -integration = ["endpoint"] -maturity = "production" - -[rule] -anomaly_threshold = 75 -author = ["Elastic"] -description = """ -A machine learning job detected a sudden drop in host based traffic. This can be due to a range of security issues, such as a compromised system, -a failed service, or a network misconfiguration. -""" -false_positives = [ - """ - Legitimate causes such as system maintenance, server shutdowns, or temporary network outages may trigger this alert. - """, -] -from = "now-45m" -interval = "5m" -license = "Elastic License v2" -machine_learning_job_id = "low_count_events_for_a_host_name" -name = "Decline in host-based traffic" -setup = """## Setup - -This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations: -- Elastic Defend - -### Anomaly Detection Setup - -Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). - -### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. - -#### Prerequisite Requirements: -- Fleet is required for Elastic Defend. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). - -#### The following steps should be executed in order to add the Elastic Defend integration to your system: -- Go to the Kibana home page and click "Add integrations". -- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. -- Click "Add Elastic Defend". -- Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". -- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. -For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html). -- Click "Save and Continue". -- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. -For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -""" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] -risk_score = 21 -rule_id = "ad66db2e-1cc7-4a2c-8fa5-5f3895e44a18" -severity = "low" -tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"] -type = "machine_learning" \ No newline at end of file