From 302c3bf14d408815dfbbd7ac6c5942e5f8cf8f9b Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Thu, 19 Dec 2024 13:03:50 -0500 Subject: [PATCH] [Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules (#4324) * rule tuning Okta and AWS lookback times * adjusted Query Registry using Built-in Tools * adjusted My First Rule * Update rules/cross-platform/guided_onboarding_sample_rule.toml Co-authored-by: Mika Ayenson * Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml Co-authored-by: Mika Ayenson --------- Co-authored-by: Mika Ayenson Removed changes from: - rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml (selectively cherry picked from commit dad008ea347588e83c00cda37900a364fcd62008) --- rules/cross-platform/guided_onboarding_sample_rule.toml | 6 +++--- ...rapid_secret_retrieval_attempts_from_secretsmanager.toml | 6 +++--- rules_building_block/discovery_generic_registry_query.toml | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml index 5bbe240e151..90163be7f7e 100644 --- a/rules/cross-platform/guided_onboarding_sample_rule.toml +++ b/rules/cross-platform/guided_onboarding_sample_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/09/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/12/19" [rule] author = ["Elastic"] @@ -13,9 +13,9 @@ enabled = false false_positives = [ "This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.", ] -from = "now-30m" +from = "now-35m" index = ["auditbeat-*", "filebeat-*", "logs-*", "winlogbeat-*"] -interval = "24h" +interval = "30m" language = "kuery" license = "Elastic License v2" max_signals = 1 diff --git a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml index f549188c2dd..7b637cda9ec 100644 --- a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml +++ b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/11" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/12/19" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ APIs for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-5m" +from = "now-9m" index = ["filebeat-*", "logs-aws.cloudtrail*"] language = "kuery" license = "Elastic License v2" @@ -28,7 +28,7 @@ note = """## Triage and analysis AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. -This rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan. +This rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan. #### Possible investigation steps diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index cfe2edba2ae..4370465eb15 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/12/19" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ registry to gain situational awareness about the host, like installed security s """ from = "now-24h" index = ["logs-endpoint.events.process-*"] -interval = "24h" +interval = "12h" language = "kuery" license = "Elastic License v2" name = "Query Registry using Built-in Tools"