From 2f062ecf844db903130c8e42e07f70cd9342f8ba Mon Sep 17 00:00:00 2001
From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Date: Fri, 23 Sep 2022 20:18:48 +0530
Subject: [PATCH] Add investigation guides (#2326)

---
 ...l_access_bruteforce_passowrd_guessing.toml | 40 ++++++++++++++++++-
 ...access_potential_linux_ssh_bruteforce.toml | 36 ++++++++++++++++-
 ...s_potential_linux_ssh_bruteforce_root.toml | 34 +++++++++++++++-
 3 files changed, 106 insertions(+), 4 deletions(-)

diff --git a/rules/linux/credential_access_bruteforce_passowrd_guessing.toml b/rules/linux/credential_access_bruteforce_passowrd_guessing.toml
index ee418c46a..585479e0e 100644
--- a/rules/linux/credential_access_bruteforce_passowrd_guessing.toml
+++ b/rules/linux/credential_access_bruteforce_passowrd_guessing.toml
@@ -3,7 +3,7 @@ creation_date = "2022/09/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/14"
+updated_date = "2022/09/23"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,43 @@ from = "now-9m"
 index = ["auditbeat-*", "logs-system.auth-*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Potential SSH Password Spraying"
+name = "Potential SSH Password Guessing"
+note = """## Triage and analysis
+
+### Investigating Potential SSH Password Guessing Attack
+
+The rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the
+same target host indicating a successful attempt of brute force password guessing.
+
+#### Possible investigation steps
+
+- Investigate the login failure user name(s).
+- Investigate the source IP address of the failed ssh login attempt(s).
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Identify the source and the target computer and their roles in the IT environment.
+
+### False positive analysis
+
+- Authentication misconfiguration or obsolete credentials.
+- Service account password expired.
+- Infrastructure or availability issue.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial
+access to the system(s).
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified.
+- Reset passwords for these accounts and other potentially compromised credentials.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+
+"""
 risk_score = 47
 rule_id = "8cb84371-d053-4f4f-bce0-c74990e28f28"
 severity = "medium"
diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
index 8cbc35af7..ac596cd88 100644
--- a/rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
+++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
@@ -3,7 +3,7 @@ creation_date = "2022/09/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/14"
+updated_date = "2022/09/23"
 
 [rule]
 author = ["Elastic"]
@@ -17,6 +17,40 @@ index = ["auditbeat-*", "logs-system.auth-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential SSH Brute Force Detected"
+note = """## Triage and analysis
+
+### Investigating Potential SSH Brute Force Attack
+
+The rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the
+same target host indicating brute force login attempts.
+
+#### Possible investigation steps
+
+- Investigate the login failure user name(s).
+- Investigate the source IP address of the failed ssh login attempt(s).
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Identify the source and the target computer and their roles in the IT environment.
+
+### False positive analysis
+
+- Authentication misconfiguration or obsolete credentials.
+- Service account password expired.
+- Infrastructure or availability issue.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified.
+- Reset passwords for these accounts and other potentially compromised credentials.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+
+"""
 risk_score = 47
 rule_id = "1c27fa22-7727-4dd3-81c0-de6da5555feb"
 severity = "medium"
diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml
index 6cd1c90fa..76bc20b57 100644
--- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml
+++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml
@@ -3,7 +3,7 @@ creation_date = "2022/09/14"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/09/14"
+updated_date = "2022/09/23"
 
 [rule]
 author = ["Elastic"]
@@ -17,6 +17,38 @@ index = ["auditbeat-*", "logs-system.auth-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential SSH Brute Force Detected on Privileged Account"
+note = """## Triage and analysis
+
+### Investigating Potential SSH Brute Force Attack on Privileged Account
+
+The rule identifies consecutive SSH login failures targeting a privileged (root) account from the same source IP
+address to the same target host indicating brute force login attempts.
+
+#### Possible investigation steps
+
+- Investigate the login failure on privileged account(s).
+- Investigate the source IP address of the failed ssh login attempt(s).
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Identify the source and the target computer and their roles in the IT environment.
+
+### False positive analysis
+- Authentication misconfiguration or obsolete credentials.
+- Service account password expired.
+- Infrastructure or availability issue.
+
+### Response and remediation
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved hosts to prevent further post-compromise behavior.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified.
+- Reset passwords for these accounts and other potentially compromised credentials.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+
+"""
 risk_score = 73
 rule_id = "a5f0d057-d540-44f5-924d-c6a2ae92f045"
 severity = "high"