security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Docs | Rule Tuning] Add blog references to rules (#4097)

Browse Source 
* [Docs | Rule Tuning] Add blog references to rules

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from code review

* Update google_workspace blog references

* add okta blog references

* Update dates

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
This commit is contained in:
Mika Ayenson
2024-09-25 15:19:20 -05:00
committed by GitHub
parent 0ed6b3f0a2
commit b80d8342d6
164 changed files with 970 additions and 499 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/04"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/07/05"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -15,6 +15,7 @@ index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_mana
language = "eql"
license = "Elastic License v2"
name = "Tampering of Shell Command-Line History"
references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
risk_score = 47
rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
setup = """## Setup
rules/cross-platform/execution_revershell_via_shell_cmd.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/01/07"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -48,6 +48,7 @@ references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
"https://github.com/WangYihang/Reverse-Shell-Manager",
"https://www.netsparker.com/blog/web-security/understanding-reverse-shells/",
"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security",
]
risk_score = 73
rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856"
rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2021/01/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -15,6 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Privilege Escalation via Sudoers File Modification"
references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
risk_score = 73
rule_id = "76152ca1-71d0-4003-9e37-0983e12832da"
severity = "high"
rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
+7 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/06/19"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -19,6 +19,7 @@ language = "eql"
license = "Elastic License v2"
max_signals = 33
name = "SUID/SGID Bit Set"
references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
risk_score = 21
rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
severity = "low"
@@ -32,6 +33,7 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
(process.name == "chmod" and (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}")) or
@@ -48,24 +50,24 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.001"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1548/001/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -73,3 +75,4 @@ framework = "MITRE ATT&CK"
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/13"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -15,6 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Sudoers File Modification"
references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
risk_score = 47
rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
severity = "medium"
rules/integrations/fim/persistence_suspicious_file_modifications.toml
+30 -25
View File
@@ -1,27 +1,30 @@
[metadata]
creation_date = "2024/06/03"
maturity = "production"
integration = ["fim"]
updated_date = "2024/07/09"
maturity = "production"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
description = """
This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are
commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for
cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control,
init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the
paths specified in the query need to be added to the FIM policy in the Elastic Security app.
commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron
jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init
daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths
specified in the query need to be added to the FIM policy in the Elastic Security app.
"""
from = "now-9m"
index = ["logs-fim.event-*", "auditbeat-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Persistence via File Modification"
references = [
"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 21
rule_id = "192657ba-ab0e-4901-89a2-911d611eee98"
setup = """
## Setup
setup = """## Setup
This rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.
@@ -46,10 +49,11 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Persistence",
"Tactic: Privilege Escalation",
"Data Source: File Integrity Monitoring"
"Data Source: File Integrity Monitoring",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.dataset == "fim.event" and event.action == "updated" and
file.path : (
@@ -112,29 +116,39 @@ file.path : (
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[[rule.threat.technique.subtechnique]]
id = "T1037.004"
name = "RC Scripts"
reference = "https://attack.mitre.org/techniques/T1037/004/"
[[rule.threat.technique]]
id = "T1136"
name = "Create Account"
reference = "https://attack.mitre.org/techniques/T1136/"
[[rule.threat.technique.subtechnique]]
id = "T1136.001"
name = "Local Account"
reference = "https://attack.mitre.org/techniques/T1136/001/"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique.subtechnique]]
id = "T1543.002"
name = "Systemd Service"
reference = "https://attack.mitre.org/techniques/T1543/002/"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
@@ -144,51 +158,42 @@ reference = "https://attack.mitre.org/techniques/T1556/"
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[[rule.threat.technique.subtechnique]]
id = "T1574.006"
name = "Dynamic Linker Hijacking"
reference = "https://attack.mitre.org/techniques/T1574/006/"
[[rule.threat.technique]]
id = "T1136"
name = "Create Account"
reference = "https://attack.mitre.org/techniques/T1136/"
[[rule.threat.technique.subtechnique]]
id = "T1136.001"
name = "Local Account"
reference = "https://attack.mitre.org/techniques/T1136/001/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.003"
name = "Cron"
reference = "https://attack.mitre.org/techniques/T1053/003/"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2022/08/24"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -76,7 +76,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/1247799?hl=en"]
references = [
"https://support.google.com/a/answer/1247799?hl=en",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "07b5f85a-240f-11ed-b3d9-f661ea17fbce"
severity = "medium"
rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2022/09/13"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -76,7 +76,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/2685650?hl=en"]
references = [
"https://support.google.com/a/answer/2685650?hl=en",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "9510add4-3392-11ed-bd01-f661ea17fbce"
severity = "medium"
rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/03/21"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -36,7 +36,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/drive/answer/2494822"]
references = [
"https://support.google.com/drive/answer/2494822",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 73
rule_id = "980b70a0-c820-11ed-8799-f661ea17fbcc"
severity = "high"
rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2022/08/25"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -79,7 +79,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/6328701?hl=en#"]
references = [
"https://support.google.com/a/answer/6328701?hl=en#",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "495e5f2e-2480-11ed-bea8-f661ea17fbce"
severity = "medium"
rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/17"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -74,7 +74,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/6160020?hl=en"]
references = [
"https://support.google.com/a/answer/6160020?hl=en",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 73
rule_id = "cf549724-c577-4fd6-8f9b-d1b8ec519ec0"
severity = "high"
rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2022/09/06"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -74,7 +74,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/9176657?hl=en"]
references = [
"https://support.google.com/a/answer/9176657?hl=en",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "7caa8e60-2df0-11ed-b814-f661ea17fbce"
severity = "medium"
rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/03/30"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/07/10"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -35,6 +35,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = [
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two",
"https://developers.google.com/apps-script/guides/bound",
"https://developers.google.com/identity/protocols/oauth2",
]
rules/integrations/google_workspace/defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2022/08/25"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/06/28"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -81,7 +81,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/6089179?hl=en"]
references = [
"https://support.google.com/a/answer/6089179?hl=en",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "a2795334-2499-11ed-9e1a-f661ea17fbce"
severity = "medium"
rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml
+6 -2
View File
@@ -3,7 +3,7 @@ creation_date = "2023/01/15"
integration = ["google_workspace"]
maturity = "production"
promotion = true
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -31,7 +31,11 @@ note = """## Setup
This is a promotion rule for Google Workspace security events, which are alertable events per the vendor.
Consult vendor documentation on interpreting specific events.
"""
references = ["https://workspace.google.com/products/admin/alert-center/"]
references = [
"https://workspace.google.com/products/admin/alert-center/",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 73
rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc"
rule_name_override = "google_workspace.alert.type"
rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/17"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -74,7 +74,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/2406043?hl=en"]
references = [
"https://support.google.com/a/answer/2406043?hl=en",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "93e63c3e-4154-4fc6-9f86-b411e0987bbf"
severity = "medium"
rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/17"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -76,7 +76,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/9176657?hl=en#"]
references = [
"https://support.google.com/a/answer/9176657?hl=en#",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "cad4500a-abd7-4ef3-b5d3-95524de7cfe1"
severity = "medium"
rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/02/16"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -78,7 +78,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/33329"]
references = [
"https://support.google.com/a/answer/33329",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "38f384e0-aef8-11ed-9a38-f661ea17fbcc"
severity = "medium"
rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/17"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -36,7 +36,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/1110339"]
references = [
"https://support.google.com/a/answer/1110339",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 21
rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc"
severity = "low"
rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/03/07"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/06/28"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -81,6 +81,7 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = [
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two",
"https://developers.google.com/apps-script/guides/bound",
"https://support.google.com/a/users/answer/13004165#share_make_a_copy_links",
]
rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/17"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -78,7 +78,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/6328701?hl=en#"]
references = [
"https://support.google.com/a/answer/6328701?hl=en#",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "785a404b-75aa-4ffd-8be5-3334a5a544dd"
severity = "medium"
rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2022/08/26"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -78,7 +78,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/9176657?hl=en"]
references = [
"https://support.google.com/a/answer/9176657?hl=en",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "5e161522-2545-11ed-ac47-f661ea17fbce"
severity = "medium"
rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/17"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -81,7 +81,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/172176?hl=en"]
references = [
"https://support.google.com/a/answer/172176?hl=en",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 73
rule_id = "68994a6c-c7ba-4e82-b476-26a26877adf6"
severity = "high"
rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/12"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/06/28"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -75,7 +75,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://developers.google.com/admin-sdk/directory/v1/guides/delegation"]
references = [
"https://developers.google.com/admin-sdk/directory/v1/guides/delegation",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "acbc8bb9-2486-49a8-8779-45fb5f9a93ee"
severity = "medium"
rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/17"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -79,7 +79,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/2406043?hl=en"]
references = [
"https://support.google.com/a/answer/2406043?hl=en",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two",
]
risk_score = 47
rule_id = "ad3f2807-2b3e-47d7-b282-f84acbbe14be"
severity = "medium"
rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
+6 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/17"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -77,6 +77,11 @@ The Google Workspace Fleet integration, the Filebeat module, or data that's simi
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = [
"https://support.google.com/a/answer/7061566",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73"
severity = "medium"
rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/17"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -81,7 +81,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/2406043?hl=en"]
references = [
"https://support.google.com/a/answer/2406043?hl=en",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "6f435062-b7fc-4af9-acea-5b1ead65c5a5"
severity = "medium"
rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
+6 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2022/09/06"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -80,7 +80,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = ["https://support.google.com/a/answer/6328701?hl=en#"]
references = [
"https://support.google.com/a/answer/6328701?hl=en#",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 21
rule_id = "cc6a8a20-2df2-11ed-8378-f661ea17fbce"
severity = "low"
rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml
+6 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/17"
integration = ["google_workspace"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -75,6 +75,11 @@ The Google Workspace Fleet integration, Filebeat module, or similarly structured
- See the following references for further information:
- https://support.google.com/a/answer/7061566
- https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"""
references = [
"https://support.google.com/a/answer/7061566",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
"https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
]
risk_score = 47
rule_id = "e555105c-ba6d-481f-82bb-9b633e7b4827"
severity = "medium"
rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml
+4 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -58,6 +58,9 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 73
rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0"
rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/19"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic", "@BenB196", "Austin Songer"]
@@ -57,6 +57,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49"
rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/11/10"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -67,6 +67,8 @@ references = [
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "50887ba8-7ff7-11ee-a038-f661ea17fbcd"
rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml
+3 -1
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview."
min_stack_version = "8.13.0"
updated_date = "2024/06/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -60,6 +60,8 @@ references = [
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "cc382a2e-7e52-11ee-9aac-f661ea17fbcd"
rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml
+4 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview."
min_stack_version = "8.13.0"
updated_date = "2024/06/20"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -72,7 +72,9 @@ references = [
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/"
"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "94e734c0-2cda-11ef-84e1-f661ea17fbce"
rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml
+4 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview."
min_stack_version = "8.13.0"
updated_date = "2024/06/20"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -69,7 +69,9 @@ references = [
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/"
"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "95b99adc-2cda-11ef-84e1-f661ea17fbce"
rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/16"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -57,6 +57,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0"
rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/11/18"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -55,6 +55,8 @@ references = [
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 73
rule_id = "8a0fbd26-867f-11ee-947c-f661ea17fbcd"
rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml
+4 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview."
min_stack_version = "8.13.0"
updated_date = "2024/06/20"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -72,7 +72,9 @@ references = [
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/"
"https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "23f18264-2d6d-11ef-9413-f661ea17fbce"
rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2022/01/05"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -58,6 +58,8 @@ references = [
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 73
rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7"
rules/integrations/okta/credential_access_user_impersonation_access.toml
+4 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2022/03/22"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -51,6 +51,9 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
references = [
"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know",
]
risk_score = 73
rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911"
rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/06"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -58,6 +58,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "8a5c1e5f-ad63-481e-b53a-ef959230f7f1"
rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/06"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -58,6 +58,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "c749e367-a069-4a73-b1f2-43a3798153ad"
rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml
+4 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/09/11"
integration = ["okta"]
maturity = "production"
updated_date = "2024/09/11"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -21,7 +21,9 @@ license = "Elastic License v2"
name = "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials"
references = [
"https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/",
"https://developer.okta.com/docs/reference/api/event-types/"
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "6649e656-6f85-11ef-8876-f661ea17fbcc"
rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -66,6 +66,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "b719a170-3bdb-4141-b0e3-13e3cf627bfe"
rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -65,6 +65,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0"
rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/28"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -66,6 +66,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9"
rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/06"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -65,6 +65,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd"
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -64,6 +64,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "e48236ca-b67a-4b4e-840c-fdc7782bc0c3"
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -54,6 +54,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45"
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -63,6 +63,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19"
rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/19"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic", "@BenB196", "Austin Songer"]
@@ -56,6 +56,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457"
rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -52,6 +52,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7"
rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/06"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -56,6 +56,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a"
rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/06"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -27,6 +27,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f"
rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/06"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -28,6 +28,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "c74fd275-ab2c-4d49-8890-e2943fa65c09"
rules/integrations/okta/impact_possible_okta_dos_attack.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -21,6 +21,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "e6e3ecff-03dd-48ec-acbd-54a04de10c68"
rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/11/07"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -45,6 +45,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/#issuer-object",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd"
rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/11/07"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -50,6 +50,8 @@ references = [
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://unit42.paloaltonetworks.com/muddled-libra/",
"https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "260486ee-7d98-11ee-9599-f661ea17fbcd"
rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/05/07"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Austin Songer"]
@@ -24,6 +24,8 @@ references = [
"https://developer.okta.com/docs/reference/api/event-types/",
"https://sec.okta.com/fastpassphishingdetection",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e"
rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2021/05/14"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -18,6 +18,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613"
rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
+3 -1
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "ES|QL rule type becomes available in 8.13.0 as technical preview."
min_stack_version = "8.13.0"
updated_date = "2024/06/20"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -64,6 +64,8 @@ references = [
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "2e56e1bc-867a-11ee-b13e-f661ea17fbcd"
rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/11/06"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -58,6 +58,8 @@ references = [
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://unit42.paloaltonetworks.com/muddled-libra/",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "1ceb05c4-7d25-11ee-9562-f661ea17fbcd"
rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -22,6 +22,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588"
rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/11/07"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -26,6 +26,8 @@ references = [
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "621e92b6-7e54-11ee-bdc0-f661ea17fbcd"
rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml
+3 -1
View File
@@ -3,7 +3,7 @@ creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
promotion = true
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -30,6 +30,8 @@ references = [
"https://developer.okta.com/docs/reference/api/event-types/",
"https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9"
rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -29,6 +29,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "b8075894-0b62-46e5-977c-31275da34419"
rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml
+4 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/06"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -29,6 +29,9 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know",
]
risk_score = 47
rule_id = "f06414a6-f2a4-466d-8eba-10f85e8abf71"
rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -28,6 +28,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5"
rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml
+4 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -28,6 +28,9 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
"https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know",
]
risk_score = 21
rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181"
rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/20"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -57,6 +57,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 21
rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8"
rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/11/06"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -54,6 +54,8 @@ references = [
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://unit42.paloaltonetworks.com/muddled-libra/",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "29b53942-7cd4-11ee-b70e-f661ea17fbcd"
rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/01"
integration = ["okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -28,6 +28,8 @@ references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 47
rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe"
rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/11/09"
integration = ["endpoint", "okta"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -58,6 +58,8 @@ references = [
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security",
"https://www.elastic.co/security-labs/starter-guide-to-understanding-okta",
]
risk_score = 73
rule_id = "5610b192-7f18-11ee-825b-f661ea17fbcd"
rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
+6 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2023/02/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/08/08"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -15,6 +15,7 @@ index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Attempt to Disable IPTables or Firewall"
references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
risk_score = 21
rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f"
setup = """## Setup
@@ -74,20 +75,22 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/27"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -15,6 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Attempt to Disable Syslog Service"
references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
risk_score = 47
rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194"
setup = """## Setup
rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
+13 -7
View File
@@ -2,21 +2,24 @@
creation_date = "2023/08/29"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/31"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries
to evade detection. Copying a system binary to a different location should not occur often, so if it does, the
activity should be investigated.
This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to
evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity
should be investigated.
"""
from = "now-9m"
index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "System Binary Moved or Copied"
references = ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"]
references = [
"https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 47
rule_id = "fda1d332-5e08-4f27-8a9b-8c802e3292a6"
setup = """## Setup
@@ -54,6 +57,7 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and
file.Ext.original.path : (
@@ -87,25 +91,27 @@ file.Ext.original.path : (
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[[rule.threat.technique.subtechnique]]
id = "T1036.003"
name = "Rename System Utilities"
reference = "https://attack.mitre.org/techniques/T1036/003/"
[[rule.threat.technique]]
id = "T1564"
name = "Hide Artifacts"
reference = "https://attack.mitre.org/techniques/T1564/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/defense_evasion_log_files_deleted.toml
+6 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/11/03"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/08/08"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -17,6 +17,7 @@ license = "Elastic License v2"
name = "System Log File Deletion"
references = [
"https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html",
"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security",
]
risk_score = 47
rule_id = "aa895aea-b69c-4411-b110-8d7599634b30"
@@ -92,20 +93,22 @@ file where host.os.type == "linux" and event.type == "deletion" and
not process.name in ("gzip", "executor", "dockerd")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1070"
name = "Indicator Removal"
reference = "https://attack.mitre.org/techniques/T1070/"
[[rule.threat.technique.subtechnique]]
id = "T1070.002"
name = "Clear Linux or Mac System Logs"
reference = "https://attack.mitre.org/techniques/T1070/002/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/discovery_suid_sguid_enumeration.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/07/24"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -18,6 +18,7 @@ index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "SUID/SGUID Enumeration Detected"
references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
risk_score = 21
rule_id = "5b06a27f-ad72-4499-91db-0c69667bffa5"
setup = """## Setup
rules/linux/discovery_yum_dnf_plugin_detection.toml
+11 -7
View File
@@ -2,14 +2,14 @@
creation_date = "2024/06/25"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/06/25"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
description = """
This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is
used to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an
attacker is attempting to establish persistence in a YUM or DNF plugin.
This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is used
to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an attacker is
attempting to establish persistence in a YUM or DNF plugin.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
@@ -17,8 +17,9 @@ language = "eql"
license = "Elastic License v2"
name = "Yum/DNF Plugin Status Discovery"
references = [
"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb",
"https://pwnshift.github.io/2020/10/01/persistence.html"
"https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb",
"https://pwnshift.github.io/2020/10/01/persistence.html",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 21
rule_id = "78390eb5-c838-4c1d-8240-69dd7397cfb7"
@@ -54,6 +55,7 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
process.name == "grep" and process.args : "plugins*" and process.args : (
@@ -62,15 +64,17 @@ process.name == "grep" and process.args : "plugins*" and process.args : (
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
rules/linux/execution_netcon_from_rwx_mem_region_binary.toml
+5 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/03/13"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -19,7 +19,10 @@ index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"
language = "eql"
license = "Elastic License v2"
name = "Network Connection from Binary with RWX Memory Region"
references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"]
references = [
"https://man7.org/linux/man-pages/man2/mprotect.2.html",
"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd",
]
risk_score = 47
rule_id = "32300431-c2d5-432d-8ec8-0e03f9924756"
setup = """## Setup
rules/linux/execution_shell_evasion_linux_binary.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2022/05/06"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -87,6 +87,7 @@ references = [
"https://gtfobins.github.io/gtfobins/byebug/",
"https://gtfobins.github.io/gtfobins/git/",
"https://gtfobins.github.io/gtfobins/ftp/",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 47
rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0"
rules/linux/execution_shell_via_meterpreter_linux.toml
+5 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/10"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -16,6 +16,10 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Meterpreter Reverse Shell"
references = [
"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd",
]
risk_score = 47
rule_id = "5c895b4f-9133-4e68-9e23-59902175355c"
setup = """## Setup
rules/linux/execution_shell_via_udp_cli_utility_linux.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/07/04"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -19,6 +19,8 @@ license = "Elastic License v2"
name = "Potential Reverse Shell via UDP"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd",
]
risk_score = 47
rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037"
rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml
+10 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2024/03/13"
integration = ["auditd_manager"]
maturity = "production"
updated_date = "2024/07/18"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -18,7 +18,10 @@ index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
language = "kuery"
license = "Elastic License v2"
name = "Unknown Execution of Binary with RWX Memory Region"
references = ["https://man7.org/linux/man-pages/man2/mprotect.2.html"]
references = [
"https://man7.org/linux/man-pages/man2/mprotect.2.html",
"https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd",
]
risk_score = 47
rule_id = "23bcd283-2bc0-4db2-81d4-273fc051e5c0"
setup = """## Setup
@@ -58,19 +61,20 @@ event.category:process and host.os.type:linux and auditd.data.syscall:mprotect a
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
@@ -79,7 +83,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/linux/persistence_apt_package_manager_execution.toml
+16 -16
View File
@@ -2,7 +2,7 @@
creation_date = "2024/02/01"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/09"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -18,6 +18,7 @@ index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious APT Package Manager Execution"
references = ["https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"]
risk_score = 47
rule_id = "ad959eeb-2b7b-4722-ba08-a45f6622f005"
setup = """## Setup
@@ -75,50 +76,48 @@ sequence by host.id with maxspan=5s
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.016"
name = "Installer Packages"
reference = "https://attack.mitre.org/techniques/T1546/016/"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.016"
name = "Installer Packages"
reference = "https://attack.mitre.org/techniques/T1546/016/"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -126,3 +125,4 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/persistence_apt_package_manager_file_creation.toml
+19 -14
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/03"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/09"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -18,7 +18,10 @@ index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "APT Package Manager Configuration File Creation"
references = ["https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html"]
references = [
"https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 47
rule_id = "7c2e1297-7664-42bc-af11-6d5d35220b6b"
setup = """## Setup
@@ -57,6 +60,7 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action in ("rename", "creation") and
file.path : "/etc/apt/apt.conf.d/*" and not (
@@ -84,34 +88,34 @@ file.path : "/etc/apt/apt.conf.d/*" and not (
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.016"
name = "Installer Packages"
reference = "https://attack.mitre.org/techniques/T1546/016/"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.016"
name = "Installer Packages"
reference = "https://attack.mitre.org/techniques/T1546/016/"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -119,3 +123,4 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/persistence_apt_package_manager_netcon.toml
+15 -14
View File
@@ -2,7 +2,7 @@
creation_date = "2024/02/01"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/18"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -18,6 +18,7 @@ index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious APT Package Manager Network Connection"
references = ["https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"]
risk_score = 47
rule_id = "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c"
setup = """## Setup
@@ -77,34 +78,34 @@ sequence by host.id with maxspan=5s
] by process.parent.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.016"
name = "Installer Packages"
reference = "https://attack.mitre.org/techniques/T1546/016/"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.016"
name = "Installer Packages"
reference = "https://attack.mitre.org/techniques/T1546/016/"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -112,7 +113,6 @@ framework = "MITRE ATT&CK"
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -120,3 +120,4 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/persistence_at_job_creation.toml
+11 -9
View File
@@ -2,7 +2,7 @@
creation_date = "2024/05/31"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/31"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -17,6 +17,7 @@ index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "At Job Created or Modified"
references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
risk_score = 47
rule_id = "84755a05-78c8-4430-8681-89cd6c857d71"
setup = """## Setup
@@ -56,6 +57,7 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and
event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/*" and not (
@@ -78,56 +80,56 @@ event.action in ("rename", "creation") and file.path : "/var/spool/cron/atjobs/*
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.002"
name = "At"
reference = "https://attack.mitre.org/techniques/T1053/002/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.002"
name = "At"
reference = "https://attack.mitre.org/techniques/T1053/002/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task/Job"
reference = "https://attack.mitre.org/techniques/T1053/"
[[rule.threat.technique.subtechnique]]
id = "T1053.002"
name = "At"
reference = "https://attack.mitre.org/techniques/T1053/002/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/linux/persistence_cron_job_creation.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/06/09"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/09/23"
[transform]
[[transform.osquery]]
@@ -135,6 +135,7 @@ This rule monitors the creation of cron jobs by monitoring for file creation and
"""
references = [
"https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/",
"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
]
risk_score = 47
rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9"
rules/linux/persistence_dnf_package_manager_plugin_file_creation.toml
+19 -14
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/25"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/09"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -18,7 +18,10 @@ index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "DNF Package Manager Plugin File Creation"
references = ["https://pwnshift.github.io/2020/10/01/persistence.html"]
references = [
"https://pwnshift.github.io/2020/10/01/persistence.html",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 21
rule_id = "3fe4e20c-a600-4a86-9d98-3ecb1ef23550"
setup = """## Setup
@@ -58,6 +61,7 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action in ("rename", "creation") and
file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/*") and not (
@@ -81,34 +85,34 @@ file.path : ("/usr/lib/python*/site-packages/dnf-plugins/*", "/etc/dnf/plugins/*
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.016"
name = "Installer Packages"
reference = "https://attack.mitre.org/techniques/T1546/016/"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
reference = "https://attack.mitre.org/techniques/T1543/"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.016"
name = "Installer Packages"
reference = "https://attack.mitre.org/techniques/T1546/016/"
[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -116,3 +120,4 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/persistence_etc_file_creation.toml
+3 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2022/07/22"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/06/21"
updated_date = "2024/09/23"
[transform]
[[transform.osquery]]
@@ -136,6 +136,8 @@ This rule monitors for the creation of the most common system-wide configuration
references = [
"https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/",
"https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/",
"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 47
rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042"
rules/linux/persistence_git_hook_execution.toml
+13 -9
View File
@@ -2,21 +2,24 @@
creation_date = "2024/07/15"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/15"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
description = """
This rule detects the execution of a potentially malicious process from a Git hook. Git hooks are scripts that Git
executes before or after events such as: commit, push, and receive. An attacker can abuse Git hooks to execute
arbitrary commands on the system and establish persistence.
executes before or after events such as: commit, push, and receive. An attacker can abuse Git hooks to execute arbitrary
commands on the system and establish persistence.
"""
from = "now-9m"
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Git Hook Command Execution"
references = ["https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git"]
references = [
"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 47
rule_id = "dc61f382-dc0c-4cc0-a845-069f2a071704"
setup = """## Setup
@@ -55,6 +58,7 @@ tags = [
"Data Source: Elastic Defend",
]
type = "eql"
query = '''
sequence by host.id with maxspan=3s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
@@ -65,9 +69,9 @@ sequence by host.id with maxspan=3s
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
@@ -78,29 +82,28 @@ id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -108,3 +111,4 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/persistence_git_hook_file_creation.toml
+11 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/06/26"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -17,7 +17,10 @@ index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "Git Hook Created or Modified"
references = ["https://git-scm.com/docs/githooks/2.26.0"]
references = [
"https://git-scm.com/docs/githooks/2.26.0",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 21
rule_id = "ac531fcc-1d3b-476d-bbb5-1357728c9a37"
setup = """## Setup
@@ -57,6 +60,7 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "creation" and file.path : "*.git/hooks/*" and
file.extension == null and process.executable != null and not (
@@ -77,9 +81,9 @@ file.extension == null and process.executable != null and not (
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
@@ -90,29 +94,28 @@ id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -120,3 +123,4 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/persistence_git_hook_netcon.toml
+11 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2024/07/15"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/15"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -17,7 +17,10 @@ index = ["logs-endpoint.events.process*", "logs-endpoint.events.network*"]
language = "eql"
license = "Elastic License v2"
name = "Git Hook Egress Network Connection"
references = ["https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git"]
references = [
"https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 47
rule_id = "9822c5a1-1494-42de-b197-487197bb540c"
setup = """## Setup
@@ -56,6 +59,7 @@ tags = [
"Data Source: Elastic Defend",
]
type = "eql"
query = '''
sequence by host.id with maxspan=3s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
@@ -73,9 +77,9 @@ sequence by host.id with maxspan=3s
] by process.parent.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
@@ -86,29 +90,28 @@ id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -116,3 +119,4 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/persistence_git_hook_process_execution.toml
+11 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/06/26"
updated_date = "2024/09/23"
[rule]
author = ["Elastic"]
@@ -17,7 +17,10 @@ index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Git Hook Child Process"
references = ["https://git-scm.com/docs/githooks/2.26.0"]
references = [
"https://git-scm.com/docs/githooks/2.26.0",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 21
rule_id = "7ce5e1c7-6a49-45e6-a101-0720d185667f"
setup = """## Setup
@@ -57,6 +60,7 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in (
"applypatch-msg", "commit-msg", "fsmonitor-watchman", "post-update", "post-checkout", "post-commit",
@@ -73,9 +77,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action
) and not process.name in ("git", "dirname")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1543"
name = "Create or Modify System Process"
@@ -86,29 +90,28 @@ id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -116,3 +119,4 @@ framework = "MITRE ATT&CK"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/linux/persistence_init_d_file_creation.toml
+7 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/03/21"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/06/21"
updated_date = "2024/09/23"
[transform]
[[transform.osquery]]
@@ -30,6 +30,7 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Crontab Information"
query = "SELECT * FROM crontab"
[rule]
author = ["Elastic"]
description = """
@@ -109,6 +110,7 @@ references = [
"https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/",
"https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts",
"https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/",
"https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
]
risk_score = 21
rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b"
@@ -149,6 +151,7 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event")
and file.path : "/etc/init.d/*" and not (
@@ -172,15 +175,17 @@ and file.path : "/etc/init.d/*" and not (
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/linux/persistence_kde_autostart_modification.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2021/01/06"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/07/18"
updated_date = "2024/09/23"
[transform]
[[transform.osquery]]
@@ -151,6 +151,7 @@ references = [
"https://userbase.kde.org/System_Settings/Autostart",
"https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/",
"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/",
"https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
]
risk_score = 47
rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3"
rules/linux/persistence_linux_backdoor_user_creation.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/03/07"
integration = ["endpoint", "auditd_manager"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[transform]
[[transform.osquery]]
@@ -87,6 +87,7 @@ This rule identifies the usage of the `usermod` command to set a user's UID to 0
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
risk_score = 47
rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad"
setup = """## Setup
rules/linux/persistence_linux_group_creation.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/02/13"
integration = ["system"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[transform]
[[transform.osquery]]
@@ -77,6 +77,7 @@ This rule identifies the usages of `groupadd` and `addgroup` to create new group
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
risk_score = 21
rule_id = "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f"
setup = """## Setup
rules/linux/persistence_linux_user_account_creation.toml
+2 -1
View File
@@ -2,7 +2,7 @@
creation_date = "2023/02/13"
integration = ["system"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/23"
[transform]
[[transform.osquery]]
@@ -76,6 +76,7 @@ This rule identifies the usage of `useradd` and `adduser` to create new accounts
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
risk_score = 21
rule_id = "edfd5ca9-9d6c-44d9-b615-1e56b920219c"
setup = """## Setup

Some files were not shown because too many files have changed in this diff Show More