2020-06-29 22:57:00 -06:00
[ metadata ]
creation_date = "2020/02/18"
maturity = "production"
2022-08-24 10:38:49 -06:00
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
2023-06-22 18:38:56 -03:00
updated_date = "2023/06/22"
2023-04-03 09:42:40 -04:00
promotion = true
2020-06-29 22:57:00 -06:00
[ rule ]
author = [ "Elastic" ]
description = "" "
2021-03-04 17:21:17 -05:00
Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the
2020-10-26 13:50:45 -05:00
rule.reference column for additional information.
2020-06-29 22:57:00 -06:00
" ""
from = "now-15m"
index = [ "endgame-*" ]
interval = "10m"
language = "kuery"
2021-03-03 22:12:11 -09:00
license = "Elastic License v2"
2021-12-14 11:52:12 -03:00
max_signals = 10000
2021-03-04 17:21:17 -05:00
name = "Exploit - Detected - Elastic Endgame"
2020-06-29 22:57:00 -06:00
risk_score = 73
rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
severity = "high"
2023-06-22 18:38:56 -03:00
tags = [ "Data Source: Elastic Endgame" , "Use Case: Threat Detection" , "Tactic: Execution" , "Tactic: Privilege Escalation" ]
2020-06-29 22:57:00 -06:00
type = "query"
query = '' '
event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)
' ''
2022-07-22 14:30:34 -04:00
[ [ rule . threat ] ]
framework = "MITRE ATT&CK"
[ rule . threat . tactic ]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[ [ rule . threat ] ]
framework = "MITRE ATT&CK"
[ [ rule . threat . technique ] ]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"
[ rule . threat . tactic ]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
