rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml

[metadata]
creation_date = "2020/09/22"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"

[rule]
anomaly_threshold = 50
author = ["Elastic"]
description = """
Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order
to harvest credentials or user data scripts containing secrets.
"""
false_positives = [
    """
    A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this
    detection rule.
    """,
]
from = "now-45m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = ["v3_linux_rare_metadata_process"]
name = "Unusual Linux Process Calling the Metadata Service"
risk_score = 21
rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"]
type = "machine_learning"

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"

  [[rule.threat.technique.subtechnique]]
  id = "T1552.005"
  name = "Cloud Instance Metadata API"
  reference = "https://attack.mitre.org/techniques/T1552/005/"


[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[New Rule] Unusual Process Calling the Metadata Service [Linux] (#321 ) 2020-09-23 15:29:48 -04:00			`[metadata]`
			`creation_date = "2020/09/22"`
Adding related integrations to ML rules (#2972 ) 2023-08-22 20:39:18 +02:00			`integration = ["auditd_manager", "endpoint"]`
[New Rule] Unusual Process Calling the Metadata Service [Linux] (#321 ) 2020-09-23 15:29:48 -04:00			`maturity = "production"`
Adding related integrations to ML rules (#2972 ) 2023-08-22 20:39:18 +02:00			`updated_date = "2023/07/27"`
min_stack all rules to 8.3 (#2259 ) 2022-08-24 10:38:49 -06:00			`min_stack_comments = "New fields added: required_fields, related_integrations, setup"`
Modifying rules assoc w/ deprecation of v2 ML jobs (#1846 ) 2022-05-20 15:02:27 -05:00			`min_stack_version = "8.3.0"`
[New Rule] Unusual Process Calling the Metadata Service [Linux] (#321 ) 2020-09-23 15:29:48 -04:00
			`[rule]`
			`anomaly_threshold = 50`
			`author = ["Elastic"]`
			`description = """`
			`Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order`
			`to harvest credentials or user data scripts containing secrets.`
			`"""`
			`false_positives = [`
			`"""`
			`A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this`
			`detection rule.`
			`""",`
			`]`
			`from = "now-45m"`
			`interval = "15m"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`license = "Elastic License v2"`
Modifying rules assoc w/ deprecation of v2 ML jobs (#1846 ) 2022-05-20 15:02:27 -05:00			`machine_learning_job_id = ["v3_linux_rare_metadata_process"]`
[Rule Tuning] Minor Rule Tweaks for 7.10 (#400 ) 2020-10-22 09:07:04 -04:00			`name = "Unusual Linux Process Calling the Metadata Service"`
[New Rule] Unusual Process Calling the Metadata Service [Linux] (#321 ) 2020-09-23 15:29:48 -04:00			`risk_score = 21`
			`rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6"`
			`severity = "low"`
[Security Content] Tags Reform (#2725 ) 2023-06-22 18:38:56 -03:00			`tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"]`
[New Rule] Unusual Process Calling the Metadata Service [Linux] (#321 ) 2020-09-23 15:29:48 -04:00			`type = "machine_learning"`

[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 ) 2022-07-22 14:30:34 -04:00			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1552"`
			`name = "Unsecured Credentials"`
			`reference = "https://attack.mitre.org/techniques/T1552/"`

			`[[rule.threat.technique.subtechnique]]`
			`id = "T1552.005"`
			`name = "Cloud Instance Metadata API"`
			`reference = "https://attack.mitre.org/techniques/T1552/005/"`


			`[rule.threat.tactic]`
			`id = "TA0006"`
			`name = "Credential Access"`
			`reference = "https://attack.mitre.org/tactics/TA0006/"`