Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules #4324

Merged
merged 5 commits into from
Dec 19, 2024
+14 −12
Merged

[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules #4324

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
495fb50
rule tuning Okta and AWS lookback times
terrancedejesus Dec 19, 2024
c6aa03d
adjusted Query Registry using Built-in Tools
terrancedejesus Dec 19, 2024
597a95c
adjusted My First Rule
terrancedejesus Dec 19, 2024
6dc772c
Update rules/cross-platform/guided_onboarding_sample_rule.toml
terrancedejesus Dec 19, 2024
7a9c2e2
Update rules/integrations/okta/lateral_movement_multiple_sessions_for…
terrancedejesus Dec 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions rules/cross-platform/guided_onboarding_sample_rule.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/09/22"
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/12/19"

[rule]
author = ["Elastic"]
Expand All @@ -13,9 +13,9 @@ enabled = false
false_positives = [
"This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.",
]
from = "now-30m"
from = "now-35m"
index = ["auditbeat-*", "filebeat-*", "logs-*", "winlogbeat-*"]
interval = "24h"
interval = "30m"
language = "kuery"
license = "Elastic License v2"
max_signals = 1
Expand Down
6 changes: 3 additions & 3 deletions ...tegrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2024/04/11"
integration = ["aws"]
maturity = "production"
updated_date = "2024/07/23"
updated_date = "2024/12/19"

[rule]
author = ["Elastic"]
Expand All @@ -17,7 +17,7 @@ false_positives = [
APIs for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-5m"
from = "now-9m"
index = ["filebeat-*", "logs-aws.cloudtrail*"]
language = "kuery"
license = "Elastic License v2"
Expand All @@ -28,7 +28,7 @@ note = """## Triage and analysis

AWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.

This rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan.
This rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan.

#### Possible investigation steps

Expand Down
10 changes: 6 additions & 4 deletions rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2023/11/07"
integration = ["okta"]
maturity = "production"
updated_date = "2024/12/09"
updated_date = "2024/12/19"
min_stack_version = "8.15.0"
min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration."

Expand All @@ -14,9 +14,9 @@ indicate that an attacker has stolen the user's session cookie and is using it t
different location.
"""
false_positives = ["A user may have multiple sessions open at the same time, such as on a mobile device and a laptop."]
from = "now-30m"
from = "now-35m"
index = ["filebeat-*", "logs-okta*"]
interval = "60m"
interval = "30m"
language = "kuery"
license = "Elastic License v2"
name = "Multiple Okta Sessions Detected for a Single User"
Expand All @@ -39,7 +39,9 @@ timestamp_override = "event.ingested"
type = "threshold"

query = '''
event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*
event.dataset:okta.system
and okta.event_type:user.session.start
and okta.authentication_context.external_session_id:*
and not (okta.actor.id: okta* or okta.actor.display_name: okta*)
'''

Expand Down
4 changes: 2 additions & 2 deletions rules_building_block/discovery_generic_registry_query.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ bypass_bbr_timing = true
creation_date = "2023/07/13"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/12/19"

[rule]
author = ["Elastic"]
Expand All @@ -14,7 +14,7 @@ registry to gain situational awareness about the host, like installed security s
"""
from = "now-24h"
index = ["logs-endpoint.events.process-*"]
interval = "24h"
interval = "12h"
language = "kuery"
license = "Elastic License v2"
name = "Query Registry using Built-in Tools"
Expand Down
Loading