[metadata] creation_date = "2020/02/18" maturity = "production" promotion = true updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Exploit - Detected - Elastic Endgame" risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" setup = """## Setup This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. **IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. **NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = [ "Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", ] timestamp_override = "event.ingested" type = "query" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) ''' [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" reference = "https://attack.mitre.org/techniques/T1068/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/"