Add investigation guides (#2326)
This commit is contained in:
shashank-elastic
@@ -3,7 +3,7 @@ creation_date = "2022/09/14"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/14"
|
||||
updated_date = "2022/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -15,7 +15,43 @@ from = "now-9m"
|
||||
index = ["auditbeat-*", "logs-system.auth-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential SSH Password Spraying"
|
||||
name = "Potential SSH Password Guessing"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Potential SSH Password Guessing Attack
|
||||
|
||||
The rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the
|
||||
same target host indicating a successful attempt of brute force password guessing.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the login failure user name(s).
|
||||
- Investigate the source IP address of the failed ssh login attempt(s).
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Identify the source and the target computer and their roles in the IT environment.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- Authentication misconfiguration or obsolete credentials.
|
||||
- Service account password expired.
|
||||
- Infrastructure or availability issue.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial
|
||||
access to the system(s).
|
||||
- Isolate the involved hosts to prevent further post-compromise behavior.
|
||||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
|
||||
identified.
|
||||
- Reset passwords for these accounts and other potentially compromised credentials.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
"""
|
||||
risk_score = 47
|
||||
rule_id = "8cb84371-d053-4f4f-bce0-c74990e28f28"
|
||||
severity = "medium"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2022/09/14"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/14"
|
||||
updated_date = "2022/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -17,6 +17,40 @@ index = ["auditbeat-*", "logs-system.auth-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential SSH Brute Force Detected"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Potential SSH Brute Force Attack
|
||||
|
||||
The rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the
|
||||
same target host indicating brute force login attempts.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the login failure user name(s).
|
||||
- Investigate the source IP address of the failed ssh login attempt(s).
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Identify the source and the target computer and their roles in the IT environment.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- Authentication misconfiguration or obsolete credentials.
|
||||
- Service account password expired.
|
||||
- Infrastructure or availability issue.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Isolate the involved hosts to prevent further post-compromise behavior.
|
||||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
|
||||
identified.
|
||||
- Reset passwords for these accounts and other potentially compromised credentials.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
"""
|
||||
risk_score = 47
|
||||
rule_id = "1c27fa22-7727-4dd3-81c0-de6da5555feb"
|
||||
severity = "medium"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2022/09/14"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2022/09/14"
|
||||
updated_date = "2022/09/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -17,6 +17,38 @@ index = ["auditbeat-*", "logs-system.auth-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential SSH Brute Force Detected on Privileged Account"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Potential SSH Brute Force Attack on Privileged Account
|
||||
|
||||
The rule identifies consecutive SSH login failures targeting a privileged (root) account from the same source IP
|
||||
address to the same target host indicating brute force login attempts.
|
||||
|
||||
#### Possible investigation steps
|
||||
|
||||
- Investigate the login failure on privileged account(s).
|
||||
- Investigate the source IP address of the failed ssh login attempt(s).
|
||||
- Investigate other alerts associated with the user/host during the past 48 hours.
|
||||
- Identify the source and the target computer and their roles in the IT environment.
|
||||
|
||||
### False positive analysis
|
||||
- Authentication misconfiguration or obsolete credentials.
|
||||
- Service account password expired.
|
||||
- Infrastructure or availability issue.
|
||||
|
||||
### Response and remediation
|
||||
- Initiate the incident response process based on the outcome of the triage.
|
||||
- Isolate the involved hosts to prevent further post-compromise behavior.
|
||||
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
|
||||
identified.
|
||||
- Reset passwords for these accounts and other potentially compromised credentials.
|
||||
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
|
||||
malware components.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
"""
|
||||
risk_score = 73
|
||||
rule_id = "a5f0d057-d540-44f5-924d-c6a2ae92f045"
|
||||
severity = "high"
|
||||
|
||||
Reference in New Issue
Block a user