security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Agent Spoofing (#3729)

Browse Source 
(cherry picked from commit 90bb8b53d8)
This commit is contained in:
Ruben Groenewoud
2024-06-03 19:28:24 +02:00
committed by github-actions[bot]
parent 6727460385
commit b719927d66
1 changed files with 5 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
+5 -7
View File
@@ -1,13 +1,13 @@
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/05/31"
[rule]
author = ["Elastic"]
description = """
Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch" occurs when the
expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when
the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
attempts to spoof events in order to masquerade actual activity to evade detection.
"""
false_positives = [
@@ -29,20 +29,18 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.agent_id_status:agent_id_mismatch
event.agent_id_status:(agent_id_mismatch or mismatch)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"