From 495fb50f65be1fad62c19b0df287609cbc77f6e7 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 19 Dec 2024 09:22:31 -0500 Subject: [PATCH 1/5] rule tuning Okta and AWS lookback times --- ..._secret_retrieval_attempts_from_secretsmanager.toml | 6 +++--- ...ral_movement_multiple_sessions_for_single_user.toml | 10 ++++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml index f549188c2dd..7b637cda9ec 100644 --- a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml +++ b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/11" integration = ["aws"] maturity = "production" -updated_date = "2024/07/23" +updated_date = "2024/12/19" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ APIs for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-5m" +from = "now-9m" index = ["filebeat-*", "logs-aws.cloudtrail*"] language = "kuery" license = "Elastic License v2" @@ -28,7 +28,7 @@ note = """## Triage and analysis AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. -This rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan. +This rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan. #### Possible investigation steps diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index df9e1757100..7b50d40a4e8 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2024/12/09" +updated_date = "2024/12/19" min_stack_version = "8.15.0" min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." @@ -14,9 +14,9 @@ indicate that an attacker has stolen the user's session cookie and is using it t different location. """ false_positives = ["A user may have multiple sessions open at the same time, such as on a mobile device and a laptop."] -from = "now-30m" +from = "now-60m" index = ["filebeat-*", "logs-okta*"] -interval = "60m" +interval = "30m" language = "kuery" license = "Elastic License v2" name = "Multiple Okta Sessions Detected for a Single User" @@ -39,7 +39,9 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:* +event.dataset:okta.system + and okta.event_type:user.session.start + and okta.authentication_context.external_session_id:* and not (okta.actor.id: okta* or okta.actor.display_name: okta*) ''' From c6aa03d017e402c877c702e7d5e5ed34c206131d Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 19 Dec 2024 10:44:27 -0500 Subject: [PATCH 2/5] adjusted Query Registry using Built-in Tools --- rules_building_block/discovery_generic_registry_query.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules_building_block/discovery_generic_registry_query.toml b/rules_building_block/discovery_generic_registry_query.toml index cfe2edba2ae..4370465eb15 100644 --- a/rules_building_block/discovery_generic_registry_query.toml +++ b/rules_building_block/discovery_generic_registry_query.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2023/07/13" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/12/19" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ registry to gain situational awareness about the host, like installed security s """ from = "now-24h" index = ["logs-endpoint.events.process-*"] -interval = "24h" +interval = "12h" language = "kuery" license = "Elastic License v2" name = "Query Registry using Built-in Tools" From 597a95cfb258acf22c8b8bc8f903adffcf24766e Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 19 Dec 2024 10:46:58 -0500 Subject: [PATCH 3/5] adjusted My First Rule --- rules/cross-platform/guided_onboarding_sample_rule.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml index 5bbe240e151..bd4e2acedbd 100644 --- a/rules/cross-platform/guided_onboarding_sample_rule.toml +++ b/rules/cross-platform/guided_onboarding_sample_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/09/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/12/19" [rule] author = ["Elastic"] @@ -13,9 +13,9 @@ enabled = false false_positives = [ "This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.", ] -from = "now-30m" +from = "now-1h" index = ["auditbeat-*", "filebeat-*", "logs-*", "winlogbeat-*"] -interval = "24h" +interval = "30m" language = "kuery" license = "Elastic License v2" max_signals = 1 From 6dc772cebe4c0c4cef329135dc92e78620ccb56d Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Thu, 19 Dec 2024 10:57:55 -0500 Subject: [PATCH 4/5] Update rules/cross-platform/guided_onboarding_sample_rule.toml Co-authored-by: Mika Ayenson --- rules/cross-platform/guided_onboarding_sample_rule.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml index bd4e2acedbd..90163be7f7e 100644 --- a/rules/cross-platform/guided_onboarding_sample_rule.toml +++ b/rules/cross-platform/guided_onboarding_sample_rule.toml @@ -13,7 +13,7 @@ enabled = false false_positives = [ "This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.", ] -from = "now-1h" +from = "now-35m" index = ["auditbeat-*", "filebeat-*", "logs-*", "winlogbeat-*"] interval = "30m" language = "kuery" From 7a9c2e24adfc8548aaeb8da6fb8400f3d5b4b195 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Thu, 19 Dec 2024 11:02:37 -0500 Subject: [PATCH 5/5] Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml Co-authored-by: Mika Ayenson --- .../lateral_movement_multiple_sessions_for_single_user.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index 7b50d40a4e8..9d015d679b8 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -14,7 +14,7 @@ indicate that an attacker has stolen the user's session cookie and is using it t different location. """ false_positives = ["A user may have multiple sessions open at the same time, such as on a mobile device and a laptop."] -from = "now-60m" +from = "now-35m" index = ["filebeat-*", "logs-okta*"] interval = "30m" language = "kuery"