Application Added to Google Workspace Domain

edit

Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization’s Google Workspace domain in order to maintain a presence in their target’s organization and steal data.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-google_workspace*

Severity: medium

Risk score: 47

Runs every: 10 minutes

Searches indices from: now-130m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Google Workspace
  • Continuous Monitoring
  • SecOps
  • Configuration Audit

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.

Investigation guide

edit
  • Important Information Regarding Google Workspace Event Lag Times
## Config

The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

### Important Information Regarding Google Workspace Event Lag Times

- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
- See the following references for further information.
  - https://support.google.com/a/answer/7061566
  - https://www.elastic.co/guide/en/beats/filebeat/7.12/filebeat-module-google_workspace.html

==== Rule query

event.dataset:(gsuite.admin or google_workspace.admin) and
event.provider:admin and event.category:iam and
event.action:ADD_APPLICATION

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Attempt to Create Okta API Token

An adversary may create an Okta API token to maintain access to an organization’s network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts, or disabling security rules or policies.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Monitoring

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives.

==== Investigation guide

The Okta Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:system.api_token.create

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 5 (7.12.0 release)
  • Formatting only
Version 4 (7.11.2 release)
  • Formatting only
Version 3 (7.11.0 release)
  • Formatting only
Version 2 (7.10.0 release)
  • Updated query, changed from:

    event.module:okta and event.dataset:okta.system and
    event.action:system.api_token.create

=== Attempt to Deactivate MFA for an Okta User Account

Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:user.mfa.factor.deactivate

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 5 (7.12.0 release)
  • Formatting only
Version 4 (7.11.2 release)
  • Formatting only
Version 3 (7.11.0 release)
  • Rule name changed from: Attempt to Deactivate MFA for Okta User Account
Version 2 (7.10.0 release)
  • Updated query, changed from:

    event.module:okta and event.dataset:okta.system and
    event.action:user.mfa.factor.deactivate

=== Attempt to Deactivate an Okta Application

Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Monitoring

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if your organization’s Okta applications are regularly deactivated and the behavior is expected.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and
event.action:application.lifecycle.deactivate

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Attempt to Deactivate an Okta Network Zone

Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization’s security controls.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Network Security

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if your organization’s Okta network zones are regularly modified.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:zone.deactivate

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Attempt to Deactivate an Okta Policy

Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization’s security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Monitoring

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:policy.lifecycle.deactivate

==== Rule version history

Version 5 (7.12.0 release)
  • Formatting only
Version 4 (7.11.2 release)
  • Formatting only
Version 3 (7.11.0 release)
  • Rule name changed from: Attempt to Deactivate Okta Policy
Version 2 (7.10.0 release)
  • Updated query, changed from:

    event.module:okta and event.dataset:okta.system and
    event.action:policy.lifecycle.deactivate

=== Attempt to Deactivate an Okta Policy Rule

Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization’s security controls.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:policy.rule.deactivate

==== Rule version history

Version 5 (7.12.0 release)
  • Formatting only
Version 4 (7.11.2 release)
  • Formatting only
Version 3 (7.11.0 release)
  • Rule name changed from: Attempt to Deactivate Okta MFA Rule
Version 2 (7.10.0 release)
  • Updated query, changed from:

    event.module:okta and event.dataset:okta.system and
    event.action:policy.rule.deactivate

=== Attempt to Delete an Okta Application

Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Monitoring

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if your organization’s Okta applications are regularly deleted and the behavior is expected.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and
event.action:application.lifecycle.delete

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Attempt to Delete an Okta Network Zone

Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization’s security controls.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Network Security

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Oyour organization’s Okta network zones are regularly deleted.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:zone.delete

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Attempt to Delete an Okta Policy

Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization’s security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Monitoring

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:policy.lifecycle.delete

==== Rule version history

Version 5 (7.12.0 release)
  • Formatting only
Version 4 (7.11.2 release)
  • Formatting only
Version 3 (7.11.0 release)
  • Rule name changed from: Attempt to Delete Okta Policy
Version 2 (7.10.0 release)
  • Updated query, changed from:

    event.module:okta and event.dataset:okta.system and
    event.action:policy.lifecycle.delete

=== Attempt to Delete an Okta Policy Rule

Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization’s security controls.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Monitoring

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:policy.rule.delete

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Attempt to Disable Gatekeeper

Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that’s designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Defense Evasion

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.args:(spctl and "--master-disable")

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Attempt to Disable IPTables or Firewall

Identifies attempts to disable ip tables or a firewall service, a technique adversaries can use to modify the network traffic hosts are allowed to send and receive.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Defense Evasion

Version: 7 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:ufw and process.args:(allow or disable or reset) or
(((process.name:service and process.args:stop) or
(process.name:chkconfig and process.args:off) or
(process.name:systemctl and process.args:(disable or stop or kill)))
and process.args:(firewalld or ip6tables or iptables))

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 7 (7.12.0 release)
  • Formatting only
Version 6 (7.11.2 release)
  • Formatting only
Version 5 (7.11.0 release)
  • Formatting only
Version 4 (7.10.0 release)
  • Formatting only
Version 3 (7.9.1 release)
  • Formatting only
Version 2 (7.9.0 release)
  • Updated query, changed from:

    event.action:(executed or process_started) and (process.name:service
    and process.args:stop or process.name:chkconfig and process.args:off)
    and process.args:(ip6tables or iptables) or process.name:systemctl and
    process.args:(firewalld and (disable or stop or kill))

=== Attempt to Disable Syslog Service

Identifies attempts to disable the syslog service, a technique adversaries can use to disrupt event logging and evade detection by security controls.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Defense Evasion

Version: 7 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
((process.name:service and process.args:stop) or
(process.name:chkconfig and process.args:off) or
(process.name:systemctl and process.args:(disable or stop or kill)))
and process.args:(syslog or rsyslog or "syslog-ng")

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 7 (7.12.0 release)
  • Formatting only
Version 6 (7.11.2 release)
  • Formatting only
Version 5 (7.11.0 release)
  • Formatting only
Version 4 (7.10.0 release)
  • Formatting only
Version 3 (7.9.1 release)
  • Formatting only
Version 2 (7.9.0 release)
  • Updated query, changed from:

    event.action:(executed or process_started) and ((process.name:service
    and process.args:stop) or (process.name:chkconfig and
    process.args:off) or (process.name:systemctl and process.args:(disable
    or stop or kill))) and process.args:(syslog or rsyslog or "syslog-ng")

=== Attempt to Enable the Root Account

Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Persistence

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:dsenableroot and not process.args:"-d"

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Attempt to Install Root Certificate

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root’s chain of trust that have been signed by the root certificate.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Defense Evasion

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Certain applications may install root certificates for the purpose of inspecting SSL traffic.

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:security and process.args:"add-trusted-cert"

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Attempt to Modify an Okta Application

Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Monitoring

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if your organization’s Okta applications are regularly modified and the behavior is expected.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and
event.action:application.lifecycle.update

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Attempt to Modify an Okta Network Zone

Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization’s security controls.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Network Security

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Oyour organization’s Okta network zones are regularly modified.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:(zone.update or
network_zone.rule.disabled or zone.remove_blacklist)

==== Rule version history

Version 5 (7.12.0 release)
  • Formatting only
Version 4 (7.11.2 release)
  • Formatting only
Version 3 (7.11.0 release)
  • Rule name changed from: Attempt to Modify Okta Network Zone
  • Updated query, changed from:

    event.dataset:okta.system and event.action:(zone.update or
    zone.deactivate or zone.delete or network_zone.rule.disabled or
    zone.remove_blacklist)
Version 2 (7.10.0 release)
  • Updated query, changed from:

    event.module:okta and event.dataset:okta.system and
    event.action:(zone.update or zone.deactivate or zone.delete or
    network_zone.rule.disabled or zone.remove_blacklist)

=== Attempt to Modify an Okta Policy

Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization’s security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Monitoring

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:policy.lifecycle.update

==== Rule version history

Version 5 (7.12.0 release)
  • Formatting only
Version 4 (7.11.2 release)
  • Formatting only
Version 3 (7.11.0 release)
  • Rule name changed from: Attempt to Modify Okta Policy
Version 2 (7.10.0 release)
  • Updated query, changed from:

    event.module:okta and event.dataset:okta.system and
    event.action:policy.lifecycle.update

=== Attempt to Modify an Okta Policy Rule

Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization’s security controls.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:policy.rule.update

==== Rule version history

Version 5 (7.12.0 release)
  • Formatting only
Version 4 (7.11.2 release)
  • Formatting only
Version 3 (7.11.0 release)
  • Rule name changed from: Attempt to Modify Okta MFA Rule
  • Updated query, changed from:

    event.dataset:okta.system and event.action:(policy.rule.update or
    policy.rule.delete)
Version 2 (7.10.0 release)
  • Updated query, changed from:

    event.module:okta and event.dataset:okta.system and
    event.action:(policy.rule.update or policy.rule.delete)

=== Attempt to Mount SMB Share via Command Line

Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Lateral Movement

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

process where event.type in ("start", "process_started") and (
process.name : "mount_smbfs" or (process.name : "open" and
process.args : "smb://*") or (process.name : "mount" and
process.args : "smbfs") or (process.name : "osascript" and
process.command_line : "osascript*mount volume*smb://*") )

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Attempt to Remove File Quarantine Attribute

Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple’s Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Defense Evasion

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

process where event.type in ("start", "process_started") and
process.args : "xattr" and ( (process.args :
"com.apple.quarantine" and process.args : ("-d", "-w")) or
(process.args : "-c" and process.command_line : (
"/bin/bash -c xattr -c *", "/bin/zsh -c xattr -c *",
"/bin/sh -c xattr -c *" ) ) )

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 3 (7.12.0 release)
  • Updated query, changed from:

    process where event.type in ("start", "process_started") and
    process.name == "xattr" and process.args == "com.apple.quarantine" and
    process.args == "-d"
Version 2 (7.11.2 release)
  • Formatting only

=== Attempt to Reset MFA Factors for an Okta User Account

Detects attempts to reset an Okta user’s enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user’s account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim’s environment.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:user.mfa.factor.reset_all

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 5 (7.12.0 release)
  • Formatting only
Version 4 (7.11.2 release)
  • Formatting only
Version 3 (7.11.0 release)
  • Rule name changed from: Attempt to Reset MFA Factors for Okta User Account
Version 2 (7.10.0 release)
  • Updated query, changed from:

    event.module:okta and event.dataset:okta.system and
    event.action:user.mfa.factor.reset_all

=== Attempt to Revoke Okta API Token

Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization’s business operations.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Monitoring

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives.

==== Investigation guide

The Okta Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:system.api_token.revoke

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 5 (7.12.0 release)
  • Formatting only
Version 4 (7.11.2 release)
  • Formatting only
Version 3 (7.11.0 release)
  • Formatting only
Version 2 (7.10.0 release)
  • Updated query, changed from:

    event.module:okta and event.dataset:okta.system and
    event.action:system.api_token.revoke

=== Attempt to Unload Elastic Endpoint Security Kernel Extension

Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Defense Evasion

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:kextunload and
process.args:("/System/Library/Extensions/EndpointSecurity.kext" or
"EndpointSecurity.kext")

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Attempted Bypass of Okta MFA

An adversary may attempt to bypass the Okta multi-factor authentication (MFA) policies configured for an organization in order to obtain unauthorized access to an application. This rule detects when an Okta MFA bypass attempt occurs.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Okta Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:user.mfa.attempt_bypass

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 5 (7.12.0 release)
  • Formatting only
Version 4 (7.11.2 release)
  • Formatting only
Version 3 (7.11.0 release)
  • Formatting only
Version 2 (7.10.0 release)
  • Updated query, changed from:

    event.module:okta and event.dataset:okta.system and
    event.action:user.mfa.attempt_bypass

=== Attempts to Brute Force a Microsoft 365 User Account

Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.

Rule type: threshold

Rule indices:

  • filebeat-*
  • logs-o365*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-30m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Cloud
  • Microsoft 365
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.

==== Investigation guide

The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:o365.audit and event.provider:AzureActiveDirectory and
event.category:authentication and event.action:UserLoginFailed and
event.outcome:failure

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 2 (7.12.0 release)
  • Formatting only

=== Attempts to Brute Force an Okta User Account

Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.

Rule type: threshold

Rule indices:

  • filebeat-*
  • logs-okta*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-180m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Identity
  • Okta
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 3 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Okta Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:user.account.lock

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Formatting only

=== Auditd Login Attempt at Forbidden Time

Identifies that a login attempt occurred at a forbidden time.

Rule type: query

Rule indices:

  • auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Initial Access

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.module:auditd and event.action:"attempted-log-in-during-unusual-
hour-to"

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Auditd Login from Forbidden Location

Identifies that a login attempt has happened from a forbidden location.

Rule type: query

Rule indices:

  • auditbeat-*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Initial Access

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.module:auditd and event.action:"attempted-log-in-from-unusual-
place-to"

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Auditd Max Failed Login Attempts

Identifies that the maximum number of failed login attempts has been reached for a user.

Rule type: query

Rule indices:

  • auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Initial Access

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.module:auditd and event.action:"failed-log-in-too-many-times-to"

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Auditd Max Login Sessions

Identifies that the maximum number login sessions has been reached for a user.

Rule type: query

Rule indices:

  • auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Initial Access

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.module:auditd and event.action:"opened-too-many-sessions-to"

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Authorization Plugin Modification

Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Persistence

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:file and not event.type:deletion and
file.path:(/Library/Security/SecurityAgentPlugins/* and not /Library/S
ecurity/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*)

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Azure Active Directory High Risk Sign-in

Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft’s Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic, Willem D’Haese

Rule license: Elastic License v2

==== Investigation guide

The Azure Fleet Integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.signinlogs and
azure.signinlogs.properties.risk_level_during_signin:high and
event.outcome:(success or Success)

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Azure Active Directory PowerShell Sign-in

Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Fleet Integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.signinlogs and
azure.signinlogs.properties.app_display_name:"Azure Active Directory
PowerShell" and azure.signinlogs.properties.token_issuer_type:AzureAD
and event.outcome:(success or Success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Azure Application Credential Modification

Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Fleet Integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.auditlogs and
azure.auditlogs.operation_name:"Update application - Certificates and
secrets management" and event.outcome:(success or Success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Azure Automation Account Created

Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target’s environment.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE and
    event.outcome:(Success or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE and
    event.outcome:Success

=== Azure Automation Runbook Created or Modified

Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target’s environment.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Configuration Audit

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and
azure.activitylogs.operation_name: (
"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE" or
"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE" or
"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION" )
and event.outcome:(Success or success)

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE or
    MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE or
    MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION) and
    event.outcome:(Success or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE or
    MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE or
    MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION) and
    event.outcome:Success

=== Azure Automation Runbook Deleted

Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target’s automated business operations or to remove a malicious runbook that was used for persistence.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Configuration Audit

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and
event.outcome:(Success or success)

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE and
    event.outcome:(Success or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE and
    event.outcome:Success

=== Azure Automation Webhook Created

Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Configuration Audit

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and
azure.activitylogs.operation_name: (
"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION" or
"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE" ) and
event.outcome:(Success or success)

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION or
    MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE) and
    event.outcome:(Success or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION or
    MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE) and
    event.outcome:Success

=== Azure Blob Container Access Level Modification

Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Asset Visibility

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and
    event.outcome:(Success or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and
    event.outcome:Success

=== Azure Command Execution on Virtual Machine

Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Log Auditing

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and
    event.outcome:(Success or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and
    event.outcome:Success

=== Azure Conditional Access Policy Modified

Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target’s security controls.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Configuration Audit

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:(azure.activitylogs or azure.auditlogs) and (
azure.activitylogs.operation_name:"Update policy" or
azure.auditlogs.operation_name:"Update policy" ) and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Formatting only
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:(azure.activitylogs or azure.auditlogs) and (
    azure.activitylogs.operation_name:"Update policy" or
    azure.auditlogs.operation_name:"Update policy" ) and
    event.outcome:success

=== Azure Diagnostic Settings Deletion

Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Monitoring

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE and
    event.outcome:(Success or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE and
    event.outcome:Success

=== Azure Event Hub Authorization Rule Created or Updated

Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it’s recommended that you treat this rule like an administrative root account and don’t use it in your application.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Log Auditing

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and
    event.outcome:(Success or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and
    event.outcome:Success

=== Azure Event Hub Deletion

Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Log Auditing

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE and
    event.outcome:(Success or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE and
    event.outcome:Success

=== Azure External Guest User Invitation

Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.auditlogs and
azure.auditlogs.operation_name:"Invite external user" and
azure.auditlogs.properties.target_resources.*.display_name:guest and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Formatting only
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.auditlogs and
    azure.auditlogs.operation_name:"Invite external user" and
    azure.auditlogs.properties.target_resources.*.display_name:guest and
    event.outcome:Success

=== Azure Firewall Policy Deletion

Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Network Security

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:(Success
    or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:Success

=== Azure Global Administrator Role Addition to PIM User

Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.auditlogs and
azure.auditlogs.properties.category:RoleManagement and
azure.auditlogs.operation_name:("Add eligible member to role in PIM
completed (permanent)" or "Add member to role in PIM completed
(timebound)") and
azure.auditlogs.properties.target_resources.*.display_name:"Global
Administrator" and event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Formatting only
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.auditlogs and
    azure.auditlogs.properties.category:RoleManagement and
    azure.auditlogs.operation_name:("Add eligible member to role in PIM
    completed (permanent)" or "Add member to role in PIM completed
    (timebound)") and
    azure.auditlogs.properties.target_resources.*.display_name:"Global
    Administrator" and event.outcome:Success

=== Azure Key Vault Modified

Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Data Protection

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and
azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE"
and event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and
    azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and
    event.outcome:(Success or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and
    azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and
    event.outcome:Success

=== Azure Network Watcher Deletion

Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Network Security

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success
or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE and event.outcome:(Success
    or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE and event.outcome:Success

=== Azure Privilege Identity Management Role Modified

Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target’s environment or modify a PIM role to weaken their target’s security controls.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.auditlogs and
azure.auditlogs.operation_name:"Update role setting in PIM" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Formatting only
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.auditlogs and
    azure.auditlogs.operation_name:"Update role setting in PIM" and
    event.outcome:Success

=== Azure Resource Group Deletion

Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Log Auditing

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE and
    event.outcome:(Success or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE and
    event.outcome:Success

=== Azure Service Principal Addition

Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it’s always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Fleet Integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add
service principal" and event.outcome:(success or Success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Azure Storage Account Key Regenerated

Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

It’s recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and
    event.outcome:(Success or success)
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Updated query, changed from:

    event.dataset:azure.activitylogs and azure.activitylogs.operation_name
    :MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and
    event.outcome:Success

=== Base16 or Base32 Encoding/Decoding Activity

Identifies attempts to encode and decode data, a technique adversaries can use to evade detection by host- or network-based security controls.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Defense Evasion

Version: 7 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values.

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:(base16 or base32 or base32plain or base32hex)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 7 (7.12.0 release)
  • Formatting only
Version 6 (7.11.2 release)
  • Formatting only
Version 5 (7.11.0 release)
  • Formatting only
Version 4 (7.10.0 release)
  • Formatting only
Version 3 (7.9.1 release)
  • Formatting only
Version 2 (7.9.0 release)
  • Updated query, changed from:

    event.action:(executed or process_started) and process.name:(base16 or
    base32 or base32plain or base32hex)

=== Base64 Encoding/Decoding Activity

Identifies attempts to encode and decode data, a technique adversaries can use to evade detection by host- or network-based security controls.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Defense Evasion

Version: 7 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values.

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:(base64 or base64plain or base64url or base64mime or
base64pem)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 7 (7.12.0 release)
  • Formatting only
Version 6 (7.11.2 release)
  • Formatting only
Version 5 (7.11.0 release)
  • Formatting only
Version 4 (7.10.0 release)
  • Formatting only
Version 3 (7.9.1 release)
  • Formatting only
Version 2 (7.9.0 release)
  • Updated query, changed from:

    event.action:(executed or process_started) and process.name:(base64 or
    base64plain or base64url or base64mime or base64pem)

=== Bash Shell Profile Modification

Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user’s context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell.

Rule type: query

Rule indices:

  • logs-endpoint.events.*
  • auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Linux
  • Threat Detection
  • Persistence

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required.

==== Rule query

event.category:file and event.type:change and process.name:(* and not
(sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or
login or cat or cp or launchctl or java)) and not
process.executable:(/Applications/* or /private/var/folders/* or
/usr/local/*) and file.path:(/private/etc/rc.local or /etc/rc.local or
/home/*/.profile or /home/*/.profile1 or /home/*/.bash_profile or
/home/*/.bash_profile1 or /home/*/.bashrc or /Users/*/.bash_profile or
/Users/*/.zshenv)

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Bypass UAC via Event Viewer

Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation

Version: 7 (version history)

Added (Elastic Stack release): 7.7.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.parent.name:eventvwr.exe and not
process.executable:("C:\Windows\SysWOW64\mmc.exe" or
"C:\Windows\System32\mmc.exe")

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 7 (7.12.0 release)
  • Formatting only
Version 6 (7.11.2 release)
  • Formatting only
Version 5 (7.11.0 release)
  • Formatting only
Version 4 (7.10.0 release)
  • Formatting only
Version 3 (7.9.1 release)
  • Formatting only
Version 2 (7.9.0 release)
  • Updated query, changed from:

    process.parent.name:eventvwr.exe and event.action:"Process Create
    (rule: ProcessCreate)" and not
    process.executable:("C:\Windows\SysWOW64\mmc.exe" or
    "C:\Windows\System32\mmc.exe")

=== Clearing Windows Event Logs

Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 8 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(process_started or start) and
(process.name:"wevtutil.exe" or
process.pe.original_file_name:"wevtutil.exe") and
process.args:("/e:false" or cl or "clear-log") or
process.name:"powershell.exe" and process.args:"Clear-EventLog"

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 8 (7.12.0 release)
  • Formatting only
Version 7 (7.11.2 release)
  • Formatting only
Version 6 (7.11.0 release)
  • Updated query, changed from:

    event.category:process and event.type:(start or process_started) and
    process.name:wevtutil.exe and process.args:cl or
    process.name:powershell.exe and process.args:Clear-EventLog
Version 5 (7.10.0 release)
  • Formatting only
Version 4 (7.9.1 release)
  • Formatting only
Version 3 (7.9.0 release)
  • Updated query, changed from:

    event.action:"Process Create (rule: ProcessCreate)" and
    process.name:wevtutil.exe and process.args:cl or
    process.name:powershell.exe and process.args:Clear-EventLog
Version 2 (7.7.0 release)
  • Updated query, changed from:

    event.action:"Process Create (rule: ProcessCreate)" and
    (process.name:"wevtutil.exe" and process.args:"cl") or
    (process.name:"powershell.exe" and process.args:"Clear-EventLog")

=== Cobalt Strike Command and Control Beacon

Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.

Rule type: query

Rule indices:

  • packetbeat-*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Network
  • Threat Detection
  • Command and Control

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected.

==== Investigation guide

This activity has been observed in FIN7 campaigns.

==== Rule query

event.category:(network OR network_traffic) AND type:(tls OR http) AND
network.transport:tcp AND
destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Formatting only
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Formatting only

=== Command Execution via SolarWinds Process

A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Execution

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Trusted SolarWinds child processes. Verify process details such as network connections and file writes.

==== Rule query

process where event.type in ("start", "process_started") and
process.name: ("cmd.exe", "powershell.exe") and process.parent.name: (
"ConfigurationWizard*.exe", "NetflowDatabaseMaintenance*.exe",
"NetFlowService*.exe", "SolarWinds.Administration*.exe",
"SolarWinds.Collector.Service*.exe", "SolarwindsDiagnostics*.exe"
)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Command Prompt Network Connection

Identifies cmd.exe making a network connection. Adversaries can abuse cmd.exe to download or execute malware from a remote URL.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Execution

Version: 6 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Administrators may use the command prompt for regular administrative tasks. It’s important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.

==== Rule query

sequence by process.entity_id [process where process.name :
"cmd.exe" and event.type == "start"] [network where process.name :
"cmd.exe" and not cidrmatch(destination.ip, "10.0.0.0/8",
"172.16.0.0/12", "192.168.0.0/16")]

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 6 (7.12.0 release)
  • Formatting only
Version 5 (7.10.0 release)
  • Updated query, changed from:

    event.category:network and event.type:connection and
    process.name:cmd.exe and not destination.ip:(10.0.0.0/8 or
    172.16.0.0/12 or 192.168.0.0/16)
Version 4 (7.9.1 release)
  • Formatting only
Version 3 (7.9.0 release)
  • Updated query, changed from:

    process.name:cmd.exe and event.action:"Network connection detected
    (rule: NetworkConnect)" and not destination.ip:(10.0.0.0/8 or
    172.16.0.0/12 or 192.168.0.0/16)
Version 2 (7.7.0 release)
  • Updated query, changed from:

    process.name:cmd.exe and event.action:"Network connection detected
    (rule: NetworkConnect)" and not destination.ip:10.0.0.0/8 and not
    destination.ip:172.16.0.0/12 and not destination.ip:192.168.0.0/16

=== Command Shell Activity Started via RunDLL32

Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Execution

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

process where event.type in ("start", "process_started") and
process.name : ("cmd.exe", "powershell.exe") and process.parent.name
: "rundll32.exe" and /* common FPs can be added here */ not
process.parent.args :
"C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL"

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Component Object Model Hijacking

Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

registry where /* uncomment once length is stable
length(bytes_written_string) > 0 and */ (registry.path :
"HK*}\\InprocServer32\\" and registry.data.strings: ("scrobj.dll",
"C:\\*\\scrobj.dll") and not registry.path :
"*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") or /* in general
COM Registry changes on Users Hive is less noisy and worth alerting */
(registry.path : ("HKEY_USERS\\*Classes\\*\\InprocXServer32\\",
"HKEY_USERS\\*Classes\\*\\LocalServer32\\",
"HKEY_USERS\\*Classes\\*\\DelegateExecute\\",
"HKEY_USERS\\*Classes\\*\\TreatAs\\",
"HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and /* not
necessary but good for filtering privileged installations */
user.domain != "NT AUTHORITY")

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Conhost Spawned By Suspicious Parent Process

Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Execution

Version: 3 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:conhost.exe and process.parent.name:(svchost.exe or
lsass.exe or services.exe or smss.exe or winlogon.exe or explorer.exe
or dllhost.exe or rundll32.exe or regsvr32.exe or userinit.exe or
wininit.exe or spoolsv.exe or wermgr.exe or csrss.exe or ctfmon.exe)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Connection to Commonly Abused Free SSL Certificate Providers

Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Command and Control

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

network where network.protocol == "dns" and /* Add new free SSL
certificate provider domains here */ dns.question.name :
("*letsencrypt.org", "*.sslforfree.com", "*.zerossl.com",
"*.freessl.org") and /* Native Windows process paths that are
unlikely to have network connections to domains secured using free SSL
certificates */ process.executable :
("C:\\Windows\\System32\\*.exe",
"C:\\Windows\\System\\*.exe",
"C:\\Windows\\SysWOW64\\*.exe",
"C:\\Windows\\Microsoft.NET\\Framework*\\*.exe",
"C:\\Windows\\explorer.exe",
"C:\\Windows\\notepad.exe") and /* Insert noisy false positives
here */ not process.name : ("svchost.exe", "MicrosoftEdge*.exe",
"msedge.exe")

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Connection to Commonly Abused Web Services

Adversaries may implement command and control communications that use common web services in order to hide their activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Command and Control

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

network where network.protocol == "dns" and /* Add new WebSvc
domains here */ dns.question.name : (
"*.githubusercontent.*", "*.pastebin.*",
"*drive.google.*", "*docs.live.*",
"*api.dropboxapi.*", "*dropboxusercontent.*",
"*onedrive.*", "*4shared.*", "*.file.io",
"*filebin.net", "*slack-files.com", "*ghostbin.*",
"*ngrok.*", "*portmap.*", "*serveo.net",
"*localtunnel.me", "*pagekite.me", "*localxpose.io",
"*notabug.org" ) and /* Insert noisy false positives here */
not process.name : ( "MicrosoftEdgeCP.exe",
"MicrosoftEdge.exe", "iexplore.exe", "chrome.exe",
"msedge.exe", "opera.exe", "firefox.exe",
"Dropbox.exe", "slack.exe", "svchost.exe",
"thunderbird.exe", "outlook.exe", "OneDrive.exe" )

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 3 (7.12.0 release)
  • Updated query, changed from:

    network where network.protocol == "dns" and /* Add new
    WebSvc domains here */ wildcard(dns.question.name,
    "*.githubusercontent.*",
    "*.pastebin.*",
    "*drive.google.*",
    "*docs.live.*",
    "*api.dropboxapi.*",
    "*dropboxusercontent.*",
    "*onedrive.*", "*4shared.*",
    "*.file.io", "*filebin.net",
    "*slack-files.com",
    "*ghostbin.*", "*ngrok.*",
    "*portmap.*", "*serveo.net",
    "*localtunnel.me",
    "*pagekite.me",
    "*localxpose.io",
    "*notabug.org" ) and
    /* Insert noisy false positives here */ not process.name
    in ("MicrosoftEdgeCP.exe",
    "MicrosoftEdge.exe",
    "iexplore.exe", "chrome.exe",
    "msedge.exe", "opera.exe",
    "firefox.exe", "Dropbox.exe",
    "slack.exe", "svchost.exe",
    "thunderbird.exe", "outlook.exe",
    "OneDrive.exe")
Version 2 (7.11.2 release)
  • Formatting only

=== Connection to External Network via Telnet

Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Lateral Movement

Version: 5 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious.

==== Rule query

sequence by process.entity_id [process where process.name ==
"telnet" and event.type == "start"] [network where process.name ==
"telnet" and not cidrmatch(destination.ip, "127.0.0.0/8",
"10.0.0.0/8", "172.16.0.0/12",
"192.168.0.0/16", "FE80::/10", "::1/128")]

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 5 (7.12.0 release)
  • Formatting only
Version 4 (7.10.0 release)
  • Updated query, changed from:

    event.category:network and event.type:(connection or start) and
    process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8
    or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10" or "::1/128")
Version 3 (7.9.1 release)
  • Formatting only
Version 2 (7.9.0 release)
  • Updated query, changed from:

    event.action:("connected-to" or "network_flow") and
    process.name:telnet and not destination.ip:(127.0.0.0/8 or 10.0.0.0/8
    or 172.16.0.0/12 or 192.168.0.0/16 or "FE80::/10" or "::1/128")

=== Connection to Internal Network via Telnet

Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Lateral Movement

Version: 5 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious.

==== Rule query

sequence by process.entity_id [process where process.name ==
"telnet" and event.type == "start"] [network where process.name ==
"telnet" and cidrmatch(destination.ip, "10.0.0.0/8",
"172.16.0.0/12", "192.168.0.0/16", "FE80::/10") and not
cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")]

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 5 (7.12.0 release)
  • Formatting only
Version 4 (7.10.0 release)
  • Updated query, changed from:

    event.category:network and event.type:(connection or start) and
    process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12
    or 192.168.0.0/16 or "FE80::/10") and not (127.0.0.0/8 or "::1/128"))
Version 3 (7.9.1 release)
  • Formatting only
Version 2 (7.9.0 release)
  • Updated query, changed from:

    event.action:("connected-to" or "network_flow") and
    process.name:telnet and destination.ip:((10.0.0.0/8 or 172.16.0.0/12
    or 192.168.0.0/16 or "FE80::/10") and not (127.0.0.0/8 or "::1/128"))

=== Creation of Hidden Files and Directories

Users can mark specific files as hidden simply by adding a . as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.

Rule type: query

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 33

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Defense Evasion

Version: 6 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values.

==== Rule query

event.category:process AND event.type:(start or process_started) AND
process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm") AND
process.args:/\.[a-zA-Z0-9_\-][a-zA-Z0-9_\-\.]{1,254}/ AND NOT
process.name:(ls or find)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 6 (7.12.0 release)
  • Formatting only
Version 5 (7.11.2 release)
  • Formatting only
Version 4 (7.11.0 release)
  • Formatting only
Version 3 (7.10.0 release)
  • Formatting only
Version 2 (7.9.1 release)
  • Formatting only

=== Creation of Hidden Launch Agent or Daemon

Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Persistence
  • Defense Evasion

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

file where event.type != "deletion" and file.path : (
"/System/Library/LaunchAgents/.*.plist",
"/Library/LaunchAgents/.*.plist",
"/Users/*/Library/LaunchAgents/.*.plist",
"/System/Library/LaunchDaemons/.*.plist",
"/Library/LaunchDaemons/.*.plist" )

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Creation of Hidden Login Item via Apple Script

Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Persistence
  • Execution

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

process where event.type in ("start", "process_started") and
process.name : "osascript" and process.command_line :
"osascript*login item*hidden:true*"

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Creation of a Hidden Local User Account

Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

registry where registry.path :
"HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\"

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Creation or Modification of Domain Backup DPAPI private key

Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Credential Access

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.

==== Rule query

event.category:file and not event.type:deletion and
file.name:(ntds_capi_*.pfx or ntds_capi_*.pvk)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Formatting only
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Formatting only

=== Creation or Modification of Root Certificate

Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (e.g. Microsoft). It could also allow an attacker to decrypt SSL traffic.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Certain applications may install root certificates for the purpose of inspecting SSL traffic.

==== Rule query

registry where event.type in ("creation", "change") and
registry.path : ( "HKLM\\Software\\Microsoft\\SystemCertific
ates\\Root\\Certificates\\*\\Blob", "HKLM\\Software\\Microsoft\\
SystemCertificates\\AuthRoot\\Certificates\\*\\Blob", "HKLM\\Sof
tware\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\\*\
\Blob", "HKLM\\Software\\Policies\\Microsoft\\SystemCertificates
\\AuthRoot\\Certificates\\*\\Blob" )

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Creation or Modification of a new GPO Scheduled Task or Service

Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Persistence

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:file and not event.type:deletion and file.path:(C\:\\Wi
ndows\\SYSVOL\\domain\\Policies\\*\\MACHINE\\Preferences\\ScheduledTas
ks\\ScheduledTasks.xml or C\:\\Windows\\SYSVOL\\domain\\Policies\\*\\M
ACHINE\\Preferences\\Preferences\\Services\\Services.xml) and not
process.name:dfsrs.exe

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 4 (7.12.0 release)
  • Formatting only
Version 3 (7.11.2 release)
  • Formatting only
Version 2 (7.11.0 release)
  • Formatting only

=== Credential Acquisition via Registry Hive Dumping

Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Credential Access

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

process where event.type in ("start", "process_started") and
process.pe.original_file_name == "reg.exe" and process.args :
("save", "export") and process.args : ("hklm\\sam", "hklm\\security")

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 3 (7.12.0 release)
  • Updated query, changed from:

    process where event.type in ("start", "process_started") and
    process.pe.original_file_name == "reg.exe" and process.args :
    ("save", "export") and process.args : ("hklm\\sam", "hklm\\security")
    and not process.parent.executable : "C:\\Program
    Files*\\Rapid7\\Insight
    Agent\\components\\insight_agent\\*\\ir_agent.exe"
Version 2 (7.11.2 release)
  • Updated query, changed from:

    process where event.type in ("start", "process_started") and
    process.pe.original_file_name == "reg.exe" and process.args :
    ("save", "export") and process.args : ("hklm\\sam", "hklm\\security")
    and not process.parent.executable : "C:\\Program
    Files*\\Rapid7\\Insight
    Agent\\components\\insight_agent\\*\\ir_agent.exe"

=== Credential Dumping - Detected - Elastic Endgame

Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

Rule type: query

Rule indices:

  • endgame-*

Severity: high

Risk score: 73

Runs every: 10 minutes

Searches indices from: now-15m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Elastic Endgame

Version: 6 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.1

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.kind:alert and event.module:endgame and
endgame.metadata.type:detection and (event.action:cred_theft_event or
endgame.event_subtype_full:cred_theft_event)

==== Rule version history

Version 6 (7.12.1 release)
  • Formatting only
Version 5 (7.12.0 release)
  • Rule name changed from: Credential Dumping - Detected - Endpoint Security
Version 4 (7.10.0 release)
  • Rule name changed from: Credential Dumping - Detected - Elastic Endpoint Security
Version 3 (7.9.0 release)
  • Rule name changed from: Credential Dumping - Detected - Elastic Endpoint
Version 2 (7.7.0 release)
  • Updated query, changed from:

    event.kind:alert and event.module:endgame and
    event.action:cred_theft_event and endgame.metadata.type:detection

=== Credential Dumping - Prevented - Elastic Endgame

Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

Rule type: query

Rule indices:

  • endgame-*

Severity: medium

Risk score: 47

Runs every: 10 minutes

Searches indices from: now-15m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Elastic Endgame

Version: 6 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.1

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.kind:alert and event.module:endgame and
endgame.metadata.type:prevention and (event.action:cred_theft_event or
endgame.event_subtype_full:cred_theft_event)

==== Rule version history

Version 6 (7.12.1 release)
  • Formatting only
Version 5 (7.12.0 release)
  • Rule name changed from: Credential Dumping - Prevented - Endpoint Security
Version 4 (7.10.0 release)
  • Rule name changed from: Credential Dumping - Prevented - Elastic Endpoint Security
Version 3 (7.9.0 release)
  • Rule name changed from: Credential Dumping - Prevented - Elastic Endpoint
Version 2 (7.7.0 release)
  • Updated query, changed from:

    event.kind:alert and event.module:endgame and
    event.action:cred_theft_event and endgame.metadata.type:prevention

=== Credential Manipulation - Detected - Elastic Endgame

Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

Rule type: query

Rule indices:

  • endgame-*

Severity: high

Risk score: 73

Runs every: 10 minutes

Searches indices from: now-15m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Elastic Endgame

Version: 6 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.1

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.kind:alert and event.module:endgame and
endgame.metadata.type:detection and
(event.action:token_manipulation_event or
endgame.event_subtype_full:token_manipulation_event)

==== Rule version history

Version 6 (7.12.1 release)
  • Formatting only
Version 5 (7.12.0 release)
  • Rule name changed from: Credential Manipulation - Detected - Endpoint Security
Version 4 (7.10.0 release)
  • Rule name changed from: Credential Manipulation - Detected - Elastic Endpoint Security
Version 3 (7.9.0 release)
  • Rule name changed from: Credential Manipulation - Detected - Elastic Endpoint
Version 2 (7.7.0 release)
  • Updated query, changed from:

    event.kind:alert and event.module:endgame and
    event.action:token_manipulation_event and
    endgame.metadata.type:detection

=== Credential Manipulation - Prevented - Elastic Endgame

Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.

Rule type: query

Rule indices:

  • endgame-*

Severity: medium

Risk score: 47

Runs every: 10 minutes

Searches indices from: now-15m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Elastic Endgame

Version: 6 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.1

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.kind:alert and event.module:endgame and
endgame.metadata.type:prevention and
(event.action:token_manipulation_event or
endgame.event_subtype_full:token_manipulation_event)

==== Rule version history

Version 6 (7.12.1 release)
  • Formatting only
Version 5 (7.12.0 release)
  • Rule name changed from: Credential Manipulation - Prevented - Endpoint Security
Version 4 (7.10.0 release)
  • Rule name changed from: Credential Manipulation - Prevented - Elastic Endpoint Security
Version 3 (7.9.0 release)
  • Rule name changed from: Credential Manipulation - Prevented - Elastic Endpoint
Version 2 (7.7.0 release)
  • Updated query, changed from:

    event.kind:alert and event.module:endgame and
    event.action:token_manipulation_event and
    endgame.metadata.type:prevention

=== DNS Activity to the Internet

Detects when an internal network client sends DNS traffic directly to the Internet. This is atypical behavior for a managed network, and can be indicative of malware, exfiltration, command and control, or, simply, misconfiguration. This DNS activity also impacts your organization’s ability to provide enterprise monitoring and logging of DNS, and opens your network to a variety of abuses and malicious communications.

Rule type: query

Rule indices:

  • filebeat-*
  • packetbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Network
  • Threat Detection
  • Command and Control

Version: 8 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Exclude DNS servers from this rule as this is expected behavior. Endpoints usually query local DNS servers defined in their DHCP scopes, but this may be overridden if a user configures their endpoint to use a remote DNS server. This is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon DNS is utilized. Some consumer VPN services and browser plug-ins may send DNS traffic to remote Internet destinations. In that case, such devices or networks can be excluded from this rule when this is expected behavior.

==== Rule query

event.category:(network or network_traffic) and (event.type:connection
or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and
source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not
destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or
172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or 255.255.255.255 or
"::1" or "FE80::/10" or "FF00::/8")

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 8 (7.12.0 release)
  • Formatting only
Version 7 (7.11.2 release)
  • Formatting only
Version 6 (7.11.0 release)
  • Updated query, changed from:

    event.category:(network or network_traffic) and (event.type:connection
    or type:dns) and (destination.port:53 or event.dataset:zeek.dns) and
    source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not
    destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 169.254.169.254/32 or
    172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or 224.0.0.252 or
    255.255.255.255 or "::1" or "ff02::fb")
Version 5 (7.10.0 release)
  • Formatting only
Version 4 (7.9.0 release)
  • Updated query, changed from:

    destination.port:53 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or
    192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or
    169.254.169.254/32 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251
    or 224.0.0.252 or 255.255.255.255 or "::1" or "ff02::fb")
Version 3 (7.7.0 release)
  • Updated query, changed from:

    destination.port:53 and ( network.direction: outbound or (
    source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not
    destination.ip:( 169.254.169.254/32 or 127.0.0.53/32 or 10.0.0.0/8 or
    172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.251 or ff02\:\:fb or
    255.255.255.255 ) ) )
Version 2 (7.6.1 release)
  • Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.

=== DNS Tunneling

Detects unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.

Rule type: machine_learning

Machine learning job: packetbeat_dns_tunneling

Machine learning anomaly threshold: 50

Severity: low

Risk score: 21

Runs every: 15 minutes

Searches indices from: now-45m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Network
  • Threat Detection
  • ML

Version: 4 (version history)

Added (Elastic Stack release): 7.7.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded.

==== Rule version history

Version 4 (7.12.0 release)
  • Formatting only
Version 3 (7.10.0 release)
  • Formatting only
Version 2 (7.9.0 release)
  • Formatting only

=== Default Cobalt Strike Team Server Certificate

This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. If using Filebeat, this rule requires the Suricata or Zeek modules. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1) - see the Reference section for additional information on module configuration.

Rule type: query

Rule indices:

  • filebeat-*
  • packetbeat-*

Severity: critical

Risk score: 99

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Command and Control
  • Post-Execution
  • Threat Detection
  • Elastic
  • Network

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly.

==== Rule query

event.category:(network or network_traffic) and
(tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or
tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or tls.s
erver.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D
3CF9D94D390C)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only

=== Delete Volume USN Journal with Fsutil

Identifies use of the fsutil.exe to delete the USNJRNL volume. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 8 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:fsutil.exe and process.args:(deletejournal and usn)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 8 (7.12.0 release)
  • Formatting only
Version 7 (7.11.2 release)
  • Formatting only
Version 6 (7.11.0 release)
  • Formatting only
Version 5 (7.10.0 release)
  • Formatting only
Version 4 (7.9.1 release)
  • Formatting only
Version 3 (7.9.0 release)
  • Updated query, changed from:

    event.action:"Process Create (rule: ProcessCreate)" and
    process.name:fsutil.exe and process.args:(deletejournal and usn)
Version 2 (7.7.0 release)
  • Updated query, changed from:

    event.action:"Process Create (rule: ProcessCreate)" and
    process.name:"fsutil.exe" and process.args:("usn" and "deletejournal")

=== Deleting Backup Catalogs with Wbadmin

Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 8 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:wbadmin.exe and process.args:(catalog and delete)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 8 (7.12.0 release)
  • Formatting only
Version 7 (7.11.2 release)
  • Formatting only
Version 6 (7.11.0 release)
  • Formatting only
Version 5 (7.10.0 release)
  • Formatting only
Version 4 (7.9.1 release)
  • Formatting only
Version 3 (7.9.0 release)
  • Updated query, changed from:

    event.action:"Process Create (rule: ProcessCreate)" and
    process.name:wbadmin.exe and process.args:(catalog and delete)
Version 2 (7.7.0 release)
  • Updated query, changed from:

    event.action:"Process Create (rule: ProcessCreate)" and
    process.name:"wbadmin.exe" and process.args:("delete" and "catalog")

=== Direct Outbound SMB Connection

Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Lateral Movement

Version: 6 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

sequence by process.entity_id [process where event.type == "start"
and process.pid != 4] [network where destination.port == 445 and
process.pid != 4 and not cidrmatch(destination.ip, "127.0.0.1",
"::1")]

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 6 (7.12.0 release)
  • Formatting only
Version 5 (7.10.0 release)
  • Updated query, changed from:

    event.category:network and event.type:connection and
    destination.port:445 and not process.pid:4 and not
    destination.ip:(127.0.0.1 or "::1")
Version 4 (7.9.1 release)
  • Formatting only
Version 3 (7.9.0 release)
  • Updated query, changed from:

    event.action:"Network connection detected (rule: NetworkConnect)" and
    destination.port:445 and not process.pid:4 and not
    destination.ip:(127.0.0.1 or "::1")
Version 2 (7.7.0 release)
  • Updated query, changed from:

    event.action:"Network connection detected (rule: NetworkConnect)" and
    destination.port:445 and not process.pid:4 and not
    destination.ip:("127.0.0.1" or "::1")

=== Disable Windows Firewall Rules via Netsh

Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 8 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:netsh.exe and process.args:(disable and firewall and set)
or process.args:(advfirewall and off and state)

==== Threat mapping

Framework: MITRE ATT&CKTM

==== Rule version history

Version 8 (7.12.0 release)
  • Formatting only
Version 7 (7.11.2 release)
  • Formatting only
Version 6 (7.11.0 release)
  • Formatting only
Version 5 (7.10.0 release)
  • Formatting only
Version 4 (7.9.1 release)
  • Formatting only
Version 3 (7.9.0 release)
  • Updated query, changed from:

    event.action:"Process Create (rule: ProcessCreate)" and
    process.name:netsh.exe and process.args:(disable and firewall and set)
    or process.args:(advfirewall and off and state)
Version 2 (7.7.0 release)
  • Updated query, changed from:

    event.action:"Process Create (rule: ProcessCreate)" and
    process.name:"netsh.exe" and process.args:("firewall" and "set" and
    "disable") or process.args:("advfirewall" and "state" and "off")

=== Disabling User Account Control via Registry Modification

User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Privilege Escalation

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

registry where event.type == "change" and registry.path : (
"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\
\EnableLUA", "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion
\\Policies\\System\\ConsentPromptBehaviorAdmin", "HKLM\\SOFTWARE
\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecure
Desktop" ) and registry.data.strings : "0"

==== Threat mapping

Framework: MITRE ATT&CKTM

=== Domain Added to Google Workspace Trusted Domains

Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target’s organization with less restrictive security controls.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-google_workspace*

Severity: high

Risk score: 73

Runs every: 10 minutes

Searches indices from: now-130m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Google Workspace
  • Continuous Monitoring
  • SecOps
  • Configuration Audit

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior.

==== Investigation guide

  • Important Information Regarding Google Workspace Event Lag Times
## Config

The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

### Important Information Regarding Google Workspace Event Lag Times
>>>>>>> 325d4016f... [DOCS] Fix links to filebeat Google Workspace module (#1441)
- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
- See the following references for further information.
  - https://support.google.com/a/answer/7061566
<<<<<<< HEAD
  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-gsuite.html
=======
  - https://www.elastic.co/guide/en/beats/filebeat/7.12/filebeat-module-google_workspace.html

>>>>>>> 325d4016f…​ [DOCS] Fix links to filebeat Google Workspace module (#1441)

Rule query

edit
event.dataset:(gsuite.admin or google_workspace.admin) and
event.provider:admin and event.category:iam and
event.action:ADD_TRUSTED_DOMAINS

Rule version history

edit
Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.11.2 release)
  • Formatting only