[metadata]
creation_date = "2020/02/18"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
promotion = true

[rule]
author = ["Elastic"]
description = """
Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the
rule.reference column for additional information.
"""
from = "now-15m"
index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Exploit - Detected - Elastic Endgame"
risk_score = 73
rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
severity = "high"
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"]
type = "query"

query = '''
event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"