Skip to content

Commit

Permalink
[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Re…
Browse files Browse the repository at this point in the history
…trieval Rules (#4324)

* rule tuning Okta and AWS lookback times

* adjusted Query Registry using Built-in Tools

* adjusted My First Rule

* Update rules/cross-platform/guided_onboarding_sample_rule.toml

Co-authored-by: Mika Ayenson <[email protected]>

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

Co-authored-by: Mika Ayenson <[email protected]>

---------

Co-authored-by: Mika Ayenson <[email protected]>

Removed changes from:
- rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

(selectively cherry picked from commit dad008e)
  • Loading branch information
terrancedejesus authored and github-actions[bot] committed Dec 19, 2024
1 parent 1f87d87 commit 302c3bf
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 8 deletions.
6 changes: 3 additions & 3 deletions rules/cross-platform/guided_onboarding_sample_rule.toml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/09/22"
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/12/19"

[rule]
author = ["Elastic"]
Expand All @@ -13,9 +13,9 @@ enabled = false
false_positives = [
"This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.",
]
from = "now-30m"
from = "now-35m"
index = ["auditbeat-*", "filebeat-*", "logs-*", "winlogbeat-*"]
interval = "24h"
interval = "30m"
language = "kuery"
license = "Elastic License v2"
max_signals = 1
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/04/11"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/12/19"

[rule]
author = ["Elastic"]
Expand All @@ -17,7 +17,7 @@ false_positives = [
APIs for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-5m"
from = "now-9m"
index = ["filebeat-*", "logs-aws.cloudtrail*"]
language = "kuery"
license = "Elastic License v2"
Expand All @@ -28,7 +28,7 @@ note = """## Triage and analysis
AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
This rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan.
This rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan.
#### Possible investigation steps
Expand Down
4 changes: 2 additions & 2 deletions rules_building_block/discovery_generic_registry_query.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ bypass_bbr_timing = true
creation_date = "2023/07/13"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/12/19"

[rule]
author = ["Elastic"]
Expand All @@ -14,7 +14,7 @@ registry to gain situational awareness about the host, like installed security s
"""
from = "now-24h"
index = ["logs-endpoint.events.process-*"]
interval = "24h"
interval = "12h"
language = "kuery"
license = "Elastic License v2"
name = "Query Registry using Built-in Tools"
Expand Down

0 comments on commit 302c3bf

Please sign in to comment.