security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71186c8788b3f85dba122647e8992dcafe29c7e3
sigma-rules/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml
T
Jonhnathan 38b8311482 [Security Content] Expand Abbreviated Tags (#2414) 
* [Security Content] Expand Abbreviated Tags

* .

* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Revert changes to deprecated rules

* Bump updated_date

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
2023-03-06 17:37:52 -03:00

49 lines
1.6 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/09/22"
maturity = "production"
updated_date = "2023/03/06"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
[rule]
anomaly_threshold = 75
author = ["Elastic"]
description = """
Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be
targeted in order to harvest credentials or user data scripts containing secrets.
"""
false_positives = [
"""
A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection
rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.
""",
]
from = "now-45m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = ["v3_linux_rare_metadata_user"]
name = "Unusual Linux User Calling the Metadata Service"
risk_score = 21
rule_id = "1faec04b-d902-4f89-8aff-92cd9043c16f"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Credential Access"]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.005"
name = "Cloud Instance Metadata API"
reference = "https://attack.mitre.org/techniques/T1552/005/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
Reference in New Issue View Git Blame Copy Permalink