detection-rules/rules/ml/initial_access_ml_auth_rare_user_logon.toml at main · DamiaPoquet/detection-rules · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
[metadata]
creation_date = "2021/06/10"
maturity = "production"
updated_date = "2022/08/24"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"

[rule]
anomaly_threshold = 75
author = ["Elastic"]
description = """
A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of
detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user
has left the organization) that becomes active may be due to credentialed access using a compromised account password.
Threat actors will sometimes also create new users as a means of persisting in a compromised web application.
"""
false_positives = [
    """
    User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a
    production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account
    may briefly trigger this alert while the model is learning.
    """,
]
from = "now-30m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "auth_rare_user"
name = "Rare User Logon"
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "138c5dd5-838b-446e-b1ac-c995c7f8108a"
severity = "low"
tags = ["Elastic", "Authentication", "Threat Detection", "ML", "Initial Access"]
type = "machine_learning"

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"


[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"