security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Fleet] Track integrations in folder and metadata (#1372)

Browse Source 
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests

Removed changes from:
- rules/cyberark/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml
- rules/cyberark/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml

(selectively cherry picked from commit 1882f4456c)
This commit is contained in:
Ross Wolf
2021-07-21 15:24:56 -06:00
committed by github-actions[bot]
parent a578a3815c
commit b13c369dab
154 changed files with 396 additions and 177 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/azure/execution_command_virtual_machine.toml
+60
View File
@@ -0,0 +1,60 @@
[metadata]
creation_date = "2020/08/17"
maturity = "production"
updated_date = "2021/07/20"
integration = "azure"
[rule]
author = ["Elastic"]
description = """
Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage
virtual machines, but not access them, nor access the virtual network or storage account theyre connected to. However,
commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles
may be able to execute commands on a VM as well.
"""
false_positives = [
"""
Command execution on a virtual machine may be done by a system or network administrator. Verify whether the
username, hostname, and/or resource name should be making changes in your environment. Command execution from
unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
from the rule.
""",
]
from = "now-25m"
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure Command Execution on Virtual Machine"
note = """## Config
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://adsecurity.org/?p=4277",
"https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
"https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor",
]
risk_score = 47
rule_id = "60884af6-f553-4a6c-af13-300047455491"
severity = "medium"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"