nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/promotions/execution_endgame_exploit_detected.toml

@@ -0,0 +1,97 @@
+[metadata]
+creation_date = "2020/02/18"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the
+rule.reference column for additional information.
+"""
+from = "now-2m"
+index = ["endgame-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Exploit - Detected - Elastic Endgame"
+risk_score = 73
+rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
+setup = """## Setup
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "high"
+tags = [
+    "Data Source: Elastic Endgame",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Tactic: Privilege Escalation",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Exploit - Detected - Elastic Endgame
+
+Elastic Endgame is a security solution that monitors and detects exploit attempts within an environment. Adversaries exploit vulnerabilities to execute unauthorized code or escalate privileges. The detection rule identifies alerts from the Endgame module, focusing on exploit-related events. It leverages metadata and event actions to flag high-risk activities, aiding in swift threat detection and response.
+
+### Possible investigation steps
+
+- Review the alert details to confirm the presence of event.kind:alert and event.module:endgame, ensuring the alert is relevant to the Elastic Endgame detection.
+- Examine the event.action and endgame.event_subtype_full fields to determine the specific exploit event type, which can provide insight into the nature of the exploit attempt.
+- Investigate the endgame.metadata.type field to gather additional context about the detection, such as the source and target of the exploit attempt.
+- Check the associated risk score and severity level to prioritize the investigation and response efforts, focusing on high-risk activities.
+- Correlate the alert with other related events in the environment to identify potential patterns or additional indicators of compromise.
+- Consult the MITRE ATT&CK framework for the Execution tactic (TA0002) to understand potential techniques that might have been used and to guide further investigation steps.
+
+### False positive analysis
+
+- Routine software updates or patches may trigger exploit detection alerts. Users can create exceptions for known update processes by identifying their unique metadata or event actions.
+- Legitimate administrative tools that perform actions similar to exploits might be flagged. Users should whitelist these tools by specifying their event.module or event.action attributes.
+- Automated scripts used for system maintenance could mimic exploit behavior. To prevent false positives, users can exclude these scripts by defining their specific endgame.event_subtype_full.
+- Security testing activities, such as penetration tests, may generate alerts. Users can manage these by setting temporary exceptions during the testing period, based on the event.kind or event.module.
+
+### Response and remediation
+
+- Isolate the affected system immediately to prevent further exploitation or lateral movement within the network.
+- Terminate any unauthorized processes identified as part of the exploit event to halt malicious activity.
+- Apply relevant security patches or updates to the affected system to address the exploited vulnerability and prevent recurrence.
+- Conduct a thorough forensic analysis of the affected system to identify any additional indicators of compromise or secondary payloads.
+- Restore the system from a known good backup if necessary, ensuring that the backup is free from any malicious artifacts.
+- Monitor the network for any signs of similar exploit attempts, using enhanced logging and alerting based on the identified threat indicators.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1068"
+name = "Exploitation for Privilege Escalation"
+reference = "https://attack.mitre.org/techniques/T1068/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

nldcsc_elastic_rules/rules/promotions/execution_endgame_exploit_prevented.toml

@@ -0,0 +1,99 @@
+[metadata]
+creation_date = "2020/02/18"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the
+rule.reference column for additional information.
+"""
+from = "now-2m"
+index = ["endgame-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Exploit - Prevented - Elastic Endgame"
+risk_score = 47
+rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036"
+setup = """## Setup
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = [
+    "Data Source: Elastic Endgame",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Tactic: Privilege Escalation",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Exploit - Prevented - Elastic Endgame
+
+Elastic Endgame is a security solution designed to prevent exploits by monitoring and analyzing system behaviors. Adversaries often exploit vulnerabilities to execute unauthorized code or escalate privileges. This detection rule identifies prevention events where an exploit attempt was blocked, focusing on alerts from the Endgame module. By analyzing specific event actions and metadata, it helps security analysts quickly identify and respond to potential threats, ensuring system integrity and security.
+
+### Possible investigation steps
+
+- Review the alert details to confirm the event.kind is 'alert' and event.module is 'endgame', ensuring the alert is relevant to the Elastic Endgame module.
+- Examine the endgame.metadata.type field to verify it is marked as 'prevention', indicating that the exploit attempt was successfully blocked.
+- Analyze the event.action and endgame.event_subtype_full fields to determine the specific type of exploit event that was attempted, such as 'exploit_event'.
+- Investigate the source and destination IP addresses, user accounts, and hostnames involved in the alert to identify potential points of compromise or targets.
+- Check for any related alerts or logs within the same timeframe to identify patterns or additional indicators of compromise that may suggest a broader attack campaign.
+- Assess the risk score and severity level to prioritize the investigation and determine if immediate action is required to mitigate potential threats.
+- Document findings and any actions taken in response to the alert to maintain a comprehensive record for future reference and analysis.
+
+### False positive analysis
+
+- Routine software updates or patches may trigger prevention alerts as they modify system files or configurations. Review the update schedule and correlate alerts with known maintenance windows to verify legitimacy.
+- Legitimate administrative tools or scripts that perform actions similar to exploit techniques can be flagged. Identify these tools and create exceptions for their known behaviors to reduce noise.
+- Security testing or vulnerability scanning activities might mimic exploit attempts. Coordinate with IT and security teams to whitelist these activities during scheduled assessments.
+- Custom applications with unique behaviors may be misidentified as threats. Work with development teams to understand these behaviors and adjust detection rules or create exceptions accordingly.
+- Frequent alerts from specific systems or users could indicate a misconfiguration. Investigate these patterns and adjust system settings or user permissions to align with security policies.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the adversary.
+- Verify the integrity of critical system files and applications on the affected system to ensure no unauthorized changes have been made.
+- Apply the latest security patches and updates to the affected system to address any known vulnerabilities that may have been targeted.
+- Conduct a thorough review of user accounts and privileges on the affected system to identify and revoke any unauthorized access or privilege escalation.
+- Restore the affected system from a known good backup if any unauthorized changes or exploit attempts have compromised system integrity.
+- Monitor the network and system logs for any signs of similar exploit attempts or related suspicious activities to ensure no further threats are present.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be at risk."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1068"
+name = "Exploitation for Privilege Escalation"
+reference = "https://attack.mitre.org/techniques/T1068/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+

nldcsc_elastic_rules/rules/promotions/external_alerts.toml

@@ -0,0 +1,111 @@
+[metadata]
+creation_date = "2020/07/08"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to
+immediately begin investigating external alerts in the app.
+"""
+from = "now-2m"
+index = [
+    "apm-*-transaction*",
+    "traces-apm*",
+    "auditbeat-*",
+    "filebeat-*",
+    "logs-*",
+    "packetbeat-*",
+    "winlogbeat-*",
+]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "External Alerts"
+risk_score = 47
+rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa"
+rule_name_override = "message"
+setup = """## Setup
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and not event.module:(endgame or endpoint or cloud_defend)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating External Alerts
+
+External alerts are crucial for identifying potential threats across diverse environments like Windows, macOS, and Linux. These alerts are generated from various sources, excluding specific modules like endpoint or cloud defend, to focus on broader threat landscapes. Adversaries may exploit vulnerabilities in these systems to execute unauthorized actions. The 'External Alerts' detection rule filters and highlights such activities by focusing on alert events, enabling analysts to swiftly investigate and mitigate risks.
+
+### Possible investigation steps
+
+- Review the alert details to identify the specific event.kind:alert that triggered the detection, ensuring it is not associated with the excluded modules (endgame, endpoint, or cloud_defend).
+- Examine the source and context of the alert by checking the associated tags, such as 'OS: Windows', 'OS: macOS', or 'OS: Linux', to understand the environment affected.
+- Gather additional context by correlating the alert with other logs or events from the same time frame or system to identify any related suspicious activities.
+- Assess the risk score and severity level to prioritize the investigation and determine the potential impact on the organization.
+- Investigate the origin of the alert by identifying the source IP, user account, or process involved, and check for any known vulnerabilities or exploits associated with them.
+- Consult threat intelligence sources to determine if the alert corresponds to any known threat actors or campaigns targeting similar environments.
+
+### False positive analysis
+
+- Alerts from benign third-party applications may trigger false positives. Review and identify these applications, then create exceptions to exclude them from future alerts.
+- Routine system updates or patches can generate alerts. Monitor update schedules and create exceptions for known update activities to reduce noise.
+- Network monitoring tools might produce alerts due to their scanning activities. Verify these tools and exclude their activities if deemed non-threatening.
+- Alerts from internal security testing or penetration testing exercises can be mistaken for threats. Coordinate with security teams to whitelist these activities during scheduled tests.
+- Certain administrative scripts or automation tasks may trigger alerts. Evaluate these scripts and exclude them if they are part of regular operations and pose no risk.
+
+### Response and remediation
+
+- Isolate affected systems immediately to prevent further unauthorized actions and contain the threat.
+- Conduct a thorough review of the alert details to identify any specific vulnerabilities or exploits used by the adversary.
+- Apply relevant patches or updates to the affected systems to remediate any identified vulnerabilities.
+- Restore systems from a known good backup if unauthorized changes or actions have been detected.
+- Monitor network traffic and system logs closely for any signs of further suspicious activity or attempts to exploit similar vulnerabilities.
+- Escalate the incident to the appropriate security team or management if the threat appears to be part of a larger attack campaign or if additional resources are needed for remediation.
+- Enhance detection capabilities by updating security tools and configurations to better identify similar threats in the future."""
+
+
+[[rule.risk_score_mapping]]
+field = "event.risk_score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "low"
+value = "21"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "medium"
+value = "47"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "high"
+value = "73"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "critical"
+value = "99"
+
+

nldcsc_elastic_rules/rules/promotions/google_secops_external_alerts.toml

@@ -0,0 +1,114 @@
+[metadata]
+creation_date = "2025/07/31"
+integration = ["google_secops"]
+maturity = "production"
+promotion = true
+updated_date = "2025/10/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert for each Google SecOps alert written to the configured indices. Enabling this rule allows
+you to immediately begin investigating Google SecOps alerts in the app.
+"""
+from = "now-2m"
+index = ["logs-google_secops.alert-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Google SecOps External Alerts"
+note = """Triage and analysis
+
+### Investigating Google SecOps External Alerts
+
+Google SecOps provides a robust framework for monitoring and managing security operations within cloud environments. The rule leverages specific event identifiers to flag suspicious alerts, enabling analysts to swiftly investigate potential threats and mitigate risks.
+
+### Possible investigation steps
+
+- Examine the timeline of events leading up to and following the alert to identify any unusual patterns or activities that may indicate malicious behavior.
+- Cross-reference the alert with other security logs and alerts to determine if it is part of a broader attack pattern or isolated incident.
+- Investigate the source and destination IP addresses involved in the alert to assess their legitimacy and check for any known malicious activity associated with them.
+- Analyze user activity associated with the alert to identify any unauthorized access or privilege escalation attempts.
+- Consult the Google SecOps investigation guide and resources tagged in the alert for specific guidance on handling similar threats.
+
+### False positive analysis
+
+- Alerts triggered by routine administrative actions can be false positives. Review the context of the alert to determine if it aligns with known maintenance activities.
+- Automated scripts or tools that interact with Google SecOps may generate alerts. Identify these scripts and consider creating exceptions for their expected behavior.
+- Frequent alerts from specific IP addresses or user accounts that are known to be secure can be excluded by adding them to an allowlist.
+- Alerts resulting from testing or development environments should be reviewed and, if deemed non-threatening, excluded from triggering further alerts.
+- Regularly update and review exception lists to ensure they reflect current non-threatening behaviors and do not inadvertently exclude genuine threats.
+
+### Response and remediation
+
+- Immediately isolate affected systems or accounts identified in the Google SecOps alert to prevent further unauthorized access or data exfiltration.
+- Conduct a thorough review of the alert details to identify any compromised credentials or access tokens and reset them promptly.
+- Implement network segmentation or access control measures to limit the spread of potential threats within the environment.
+- Review and update firewall rules and security group settings to block any suspicious IP addresses or domains associated with the alert.
+- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional resources are needed.
+- Document the incident, including all actions taken, and update incident response plans to incorporate lessons learned from this event.
+- Enhance monitoring and detection capabilities by tuning existing alerts and deploying additional rules to detect similar activities in the future.
+"""
+references = ["https://docs.elastic.co/en/integrations/google_secops"]
+risk_score = 47
+rule_id = "70558fd5-6448-4c65-804a-8567ce02c3a2"
+rule_name_override = "google_secops.alert.detection.ruleName"
+setup = """## Setup
+
+### Google SecOps Alert Integration
+This rule is designed to capture alert events generated by the Google SecOps integration and promote them as Elastic detection alerts.
+
+To capture Google SecOps alerts, install and configure the Google SecOps integration to ingest alert events into the `logs-google_secops.alert-*` index pattern.
+
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SecOps events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:google_secops.alert to avoid receiving duplicate alerts.
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = [
+    "Data Source: Google SecOps",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Promotion: External Alerts",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind: alert and data_stream.dataset: google_secops.alert
+'''
+
+
+[[rule.risk_score_mapping]]
+field = "event.risk_score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "low"
+value = "21"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "medium"
+value = "47"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "high"
+value = "73"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "critical"
+value = "99"
+
+

nldcsc_elastic_rules/rules/promotions/microsoft_sentinel_external_alerts.toml

@@ -0,0 +1,113 @@
+[metadata]
+creation_date = "2025/07/31"
+integration = ["microsoft_sentinel"]
+maturity = "production"
+promotion = true
+updated_date = "2025/10/17"
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert for each Microsoft Sentinel alert written to the configured indices. Enabling this rule
+allows you to immediately begin investigating Microsoft Sentinel alerts in the app.
+"""
+from = "now-2m"
+index = ["logs-microsoft_sentinel.alert-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Microsoft Sentinel External Alerts"
+note = """ Triage and analysis
+
+## Investigating Microsoft Sentinel External Alerts
+
+Microsoft Sentinel is a cloud-native SIEM tool that aggregates security data for threat detection and response. The rule identifies each alert logged in Sentinel, enabling analysts to swiftly investigate potential threats.
+
+### Possible investigation steps
+
+- Examine the timeline of events leading up to the alert to identify any unusual or suspicious activities that may have occurred.
+- Cross-reference the alert with other related alerts or logs in Microsoft Sentinel to determine if this is part of a larger pattern or isolated incident.
+- Investigate the source and context of the alert to identify any patterns or anomalies that could indicate manipulation or false positives.
+- Consult the Microsoft Sentinel investigation guide and resources tagged in the alert for specific guidance on handling similar threats.
+
+### False positive analysis
+
+- Alerts triggered by routine administrative tasks can be false positives. Identify these tasks and create exceptions to prevent unnecessary alerts.
+- Frequent alerts from known safe IP addresses or domains may not indicate a threat. Whitelist these sources to reduce noise.
+- Alerts generated by automated scripts or scheduled tasks that are part of regular operations can be excluded by setting up filters for these specific activities.
+- Non-threatening alerts from internal network scans or vulnerability assessments should be reviewed and excluded if they are part of regular security practices.
+- Alerts from test environments or sandboxed systems can be false positives. Exclude these environments from alert generation to focus on genuine threats.
+
+### Response and remediation
+
+- Contain the threat by isolating affected systems from the network to prevent further spread or data exfiltration.
+- Review and terminate any suspicious processes or sessions identified in the alert to halt ongoing malicious activities.
+- Conduct a thorough analysis of the alert details to identify any compromised accounts or credentials and reset passwords immediately.
+- Apply relevant security patches or updates to affected systems to close any vulnerabilities exploited by the adversary.
+- Restore affected systems from clean backups to ensure the integrity and security of the environment.
+- Monitor network traffic and system logs closely for any signs of recurring or related suspicious activities.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional resources are needed.
+"""
+references = ["https://docs.elastic.co/en/integrations/microsoft_sentinel"]
+risk_score = 47
+rule_id = "74147312-ba03-4bea-91d1-040d54c1e8c3"
+rule_name_override = "microsoft_sentinel.alert.properties.friendly_name"
+setup = """## Setup
+
+### Microsoft Sentinel Alert Integration
+This rule is designed to capture alert events generated by the Microsoft Sentinel integration and promote them as Elastic detection alerts.
+
+To capture Microsoft Sentinel alerts, install and configure the Microsoft Sentinel integration to ingest alert events into the `logs-microsoft_sentinel.alert-*` index pattern.
+
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Sentinel events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:microsoft_sentinel.alert to avoid receiving duplicate alerts.
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = [
+    "Data Source: Microsoft Sentinel",
+    "Use Case: Threat Detection",
+    "Resources: Investigation Guide",
+    "Promotion: External Alerts",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind: alert and data_stream.dataset: microsoft_sentinel.alert
+'''
+
+
+[[rule.risk_score_mapping]]
+field = "microsoft_sentinel.alert.properties.confidence_score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "low"
+value = "21"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "medium"
+value = "47"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "high"
+value = "73"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "critical"
+value = "99"
+
+

nldcsc_elastic_rules/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml

@@ -0,0 +1,85 @@
+[metadata]
+creation_date = "2020/02/18"
+maturity = "production"
+promotion = true
+updated_date = "2025/03/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link
+in the rule.reference column for additional information.
+"""
+from = "now-2m"
+index = ["endgame-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "Credential Manipulation - Detected - Elastic Endgame"
+risk_score = 73
+rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f"
+setup = """## Setup
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "high"
+tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Credential Manipulation - Detected - Elastic Endgame
+
+Elastic Endgame is a security solution that monitors and detects suspicious activities, such as credential manipulation, which adversaries exploit to escalate privileges by altering access tokens. This detection rule identifies such threats by analyzing alerts for token manipulation events, leveraging its high-risk score and severity to prioritize investigation. The rule aligns with MITRE ATT&CK's framework, focusing on privilege escalation tactics.
+
+### Possible investigation steps
+
+- Review the alert details to confirm the presence of event.kind:alert and event.module:endgame, ensuring the alert is relevant to Elastic Endgame's detection capabilities.
+- Examine the event.action and endgame.event_subtype_full fields for token_manipulation_event to understand the specific type of credential manipulation detected.
+- Check the associated user account and system involved in the alert to determine if the activity aligns with expected behavior or if it indicates potential unauthorized access.
+- Investigate the timeline of events leading up to and following the token manipulation event to identify any additional suspicious activities or patterns.
+- Correlate the alert with other security events or logs to assess if this incident is part of a broader attack or isolated.
+- Evaluate the risk score and severity to prioritize the response and determine if immediate action is required to mitigate potential threats.
+
+### False positive analysis
+
+- Routine administrative tasks involving token manipulation can trigger alerts. Review the context of the event to determine if it aligns with expected administrative behavior.
+- Automated scripts or software updates that require token changes might be flagged. Identify and whitelist these processes if they are verified as safe and necessary for operations.
+- Security tools or monitoring solutions that interact with access tokens for legitimate purposes may cause false positives. Ensure these tools are recognized and excluded from triggering alerts.
+- User behavior analytics might misinterpret legitimate user actions as suspicious. Regularly update user profiles and behavior baselines to minimize these occurrences.
+- Scheduled maintenance activities that involve access token modifications should be documented and excluded from detection rules during their execution time.
+
+### Response and remediation
+
+- Isolate the affected system immediately to prevent further unauthorized access or lateral movement within the network.
+- Revoke and reset any compromised credentials or access tokens identified in the alert to prevent further misuse.
+- Conduct a thorough review of recent access logs and token usage to identify any unauthorized access or actions taken by the adversary.
+- Apply security patches and updates to the affected system and any related systems to close vulnerabilities that may have been exploited.
+- Implement enhanced monitoring on the affected system and related accounts to detect any further suspicious activity or attempts at credential manipulation.
+- Notify the security team and relevant stakeholders about the incident, providing details of the threat and actions taken, and escalate to higher management if the threat level increases.
+- Review and update access control policies and token management practices to prevent similar incidents in the future, ensuring that least privilege principles are enforced."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1134"
+name = "Access Token Manipulation"
+reference = "https://attack.mitre.org/techniques/T1134/"
+
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+