[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Re…

…trieval Rules (#4324) * rule tuning Okta and AWS lookback times * adjusted Query Registry using Built-in Tools * adjusted My First Rule * Update rules/cross-platform/guided_onboarding_sample_rule.toml Co-authored-by: Mika Ayenson <[email protected]> * Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]>
elastic · Dec 19, 2024 · dad008e · dad008e
1 parent 2ff2965
commit dad008e
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 12 deletions.
diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/09/22"
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/12/19"
 
 [rule]
 author = ["Elastic"]
@@ -13,9 +13,9 @@ enabled = false
 false_positives = [
     "This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.",
 ]
-from = "now-30m"
+from = "now-35m"
 index = ["auditbeat-*", "filebeat-*", "logs-*", "winlogbeat-*"]
-interval = "24h"
+interval = "30m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1

diff --git a/...tegrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml b/...tegrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/04/11"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/07/23"
+updated_date = "2024/12/19"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     APIs for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-5m"
+from = "now-9m"
 index = ["filebeat-*", "logs-aws.cloudtrail*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -28,7 +28,7 @@ note = """## Triage and analysis
 
 AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.
 
-This rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan. 
+This rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan.
 
 #### Possible investigation steps
 

diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/11/07"
 integration = ["okta"]
 maturity = "production"
-updated_date = "2024/12/09"
+updated_date = "2024/12/19"
 min_stack_version = "8.15.0"
 min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."
 
@@ -14,9 +14,9 @@ indicate that an attacker has stolen the user's session cookie and is using it t
 different location.
 """
 false_positives = ["A user may have multiple sessions open at the same time, such as on a mobile device and a laptop."]
-from = "now-30m"
+from = "now-35m"
 index = ["filebeat-*", "logs-okta*"]
-interval = "60m"
+interval = "30m"
 language = "kuery"
 license = "Elastic License v2"
 name = "Multiple Okta Sessions Detected for a Single User"
@@ -39,7 +39,9 @@ timestamp_override = "event.ingested"
 type = "threshold"
 
 query = '''
-event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*
+event.dataset:okta.system
+    and okta.event_type:user.session.start
+    and okta.authentication_context.external_session_id:*
     and not (okta.actor.id: okta* or okta.actor.display_name: okta*)
 '''
 

diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml
@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2023/07/13"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/12/19"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ registry to gain situational awareness about the host, like installed security s
 """
 from = "now-24h"
 index = ["logs-endpoint.events.process-*"]
-interval = "24h"
+interval = "12h"
 language = "kuery"
 license = "Elastic License v2"
 name = "Query Registry using Built-in Tools"