Merge branch 'main' into add_guides_nov_2

shashank-elastic · web-flow · commit f6f3c48e7101 · 2025-11-25T00:57:20.000+05:30
diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml
@@ -2,7 +2,9 @@
 creation_date = "2025/07/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+min_stack_version = "8.19.7"
+min_stack_comments = "Bug fix in threshold rules."
+updated_date = "2025/11/13"
 
 [rule]
 author = ["Elastic"]
@@ -18,26 +20,28 @@ false_positives = [
     """,
 ]
 from = "now-60m"
-interval = "15m"
-language = "esql"
+index = ["filebeat-*", "logs-azure.signinlogs-*"]
+interval = "30m"
+language = "kuery"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Exccessive Account Lockouts Detected"
+name = "Microsoft Entra ID Excessive Account Lockouts Detected"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Exccessive Account Lockouts Detected
+### Investigating Microsoft Entra ID Excessive Account Lockouts Detected
 
 This rule detects a high number of sign-in failures due to account lockouts (error code `50053`) in Microsoft Entra ID sign-in logs. These lockouts are typically caused by repeated authentication failures, often as a result of brute-force tactics such as password spraying, credential stuffing, or automated guessing. This detection is time-bucketed and aggregates attempts to identify bursts or coordinated campaigns targeting multiple users.
 
 ### Possible investigation steps
 
-- Review `user_id_list` and `user_principal_name`: Check if targeted users include high-value accounts such as administrators, service principals, or shared inboxes.
-- Check `error_codes` and `result_description`: Validate that `50053` (account locked) is the consistent failure type. Messages indicating "malicious IP" activity suggest Microsoft’s backend flagged the source.
-- Analyze `ip_list` and `source_orgs`: Identify whether the activity originated from known malicious infrastructure (e.g., VPNs, botnets, or public cloud providers). In the example, traffic originates from `MASSCOM`, which should be validated.
-- Inspect `device_detail_browser` and `user_agent`: Clients like `"Python Requests"` indicate scripted automation rather than legitimate login attempts.
-- Evaluate `unique_users` vs. `total_attempts`: A high ratio suggests distributed attacks across multiple accounts, characteristic of password spraying.
-- Correlate `client_app_display_name` and `incoming_token_type`: PowerShell or unattended sign-in clients may be targeted for automation or legacy auth bypass.
-- Review `conditional_access_status` and `risk_state`: If Conditional Access was not applied and risk was not flagged, policy scope or coverage should be reviewed.
-- Validate time range (`first_seen`, `last_seen`): Determine whether the attack is a short burst or part of a longer campaign.
+Please note this is as threshold rule that aggregates multiple account lockouts over a specified time window. To properly investigate, pivot into the individual sign-in log events that contributed to the threshold being met.
+
+- Review users impacted by pivoting searching for `user.name` in events where `azure.signinlogs.properties.status.error_code` is `50053`.
+- Analyze source addresses associated with these lockouts. Identify whether the activity originated from known malicious infrastructure (e.g., VPNs, botnets, or public cloud providers).
+- Inspect the user-agents involved in these account lockouts. Clients like `Python Requests` indicate scripted automation rather than legitimate login attempts. ROPC agents may suggest brute-forcing against legacy auth.
+- A high ratio suggests distributed attacks across multiple accounts, characteristic of password spraying.
+- Correlate client apps associated such as PowerShell or unattended sign-in clients may be targeted for automation or legacy auth bypass.
+- Review conditional access state or risk state of the user involved. If Conditional Access was not applied and risk was not flagged, policy scope or coverage should be reviewed.
+- Check for any successful sign-ins for the affected users around the same time frame to determine if any accounts were compromised prior to lockout.
 
 ### False positive analysis
 
@@ -55,6 +59,7 @@ This rule detects a high number of sign-in failures due to account lockouts (err
 - Audit authentication methods in use, and enforce modern auth (OAuth, SAML) over legacy protocols.
 - Strengthen Conditional Access policies to reduce exposure from weak locations, apps, or clients.
 - Conduct credential hygiene audits to assess reuse and rotation for targeted accounts.
+- If false positives are identified, create exceptions for known benign sources, users or user agents to reduce noise.
 """
 references = [
     "https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/",
@@ -81,104 +86,26 @@ tags = [
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "esql"
+type = "threshold"
 
 query = '''
-from logs-azure.signinlogs-*
-
-| eval
-    Esql.time_window_date_trunc = date_trunc(30 minutes, @timestamp),
-    Esql_priv.azure_signinlogs_properties_user_principal_name_lower = to_lower(azure.signinlogs.properties.user_principal_name),
-    Esql.azure_signinlogs_properties_incoming_token_type_lower = to_lower(azure.signinlogs.properties.incoming_token_type),
-    Esql.azure_signinlogs_properties_app_display_name_lower = to_lower(azure.signinlogs.properties.app_display_name)
-
-| where event.dataset == "azure.signinlogs"
-    and event.category == "authentication"
-    and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
-    and event.outcome == "failure"
-    and azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication"
-    and azure.signinlogs.properties.status.error_code == 50053
-    and azure.signinlogs.properties.user_principal_name is not null
-    and azure.signinlogs.properties.user_principal_name != ""
-    and source.`as`.organization.name != "MICROSOFT-CORP-MSN-as-BLOCK"
-
-| stats
-    Esql.azure_signinlogs_properties_authentication_requirement_values = values(azure.signinlogs.properties.authentication_requirement),
-    Esql.azure_signinlogs_properties_app_id_values = values(azure.signinlogs.properties.app_id),
-    Esql.azure_signinlogs_properties_app_display_name_values = values(azure.signinlogs.properties.app_display_name),
-    Esql.azure_signinlogs_properties_resource_id_values = values(azure.signinlogs.properties.resource_id),
-    Esql.azure_signinlogs_properties_resource_display_name_values = values(azure.signinlogs.properties.resource_display_name),
-    Esql.azure_signinlogs_properties_conditional_access_status_values = values(azure.signinlogs.properties.conditional_access_status),
-    Esql.azure_signinlogs_properties_device_detail_browser_values = values(azure.signinlogs.properties.device_detail.browser),
-    Esql.azure_signinlogs_properties_device_detail_device_id_values = values(azure.signinlogs.properties.device_detail.device_id),
-    Esql.azure_signinlogs_properties_device_detail_operating_system_values = values(azure.signinlogs.properties.device_detail.operating_system),
-    Esql.azure_signinlogs_properties_incoming_token_type_values = values(azure.signinlogs.properties.incoming_token_type),
-    Esql.azure_signinlogs_properties_risk_state_values = values(azure.signinlogs.properties.risk_state),
-    Esql.azure_signinlogs_properties_session_id_values = values(azure.signinlogs.properties.session_id),
-    Esql.azure_signinlogs_properties_user_id_values = values(azure.signinlogs.properties.user_id),
-    Esql_priv.azure_signinlogs_properties_user_principal_name_values = values(azure.signinlogs.properties.user_principal_name),
-    Esql.azure_signinlogs_result_description_values = values(azure.signinlogs.result_description),
-    Esql.azure_signinlogs_result_signature_values = values(azure.signinlogs.result_signature),
-    Esql.azure_signinlogs_result_type_values = values(azure.signinlogs.result_type),
-
-    Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct = count_distinct(Esql_priv.azure_signinlogs_properties_user_principal_name_lower),
-    Esql_priv.azure_signinlogs_properties_user_principal_name_lower_values = values(Esql_priv.azure_signinlogs_properties_user_principal_name_lower),
-    Esql.azure_signinlogs_result_description_count_distinct = count_distinct(azure.signinlogs.result_description),
-    Esql.azure_signinlogs_properties_status_error_code_count_distinct = count_distinct(azure.signinlogs.properties.status.error_code),
-    Esql.azure_signinlogs_properties_status_error_code_values = values(azure.signinlogs.properties.status.error_code),
-    Esql.azure_signinlogs_properties_incoming_token_type_lower_values = values(Esql.azure_signinlogs_properties_incoming_token_type_lower),
-    Esql.azure_signinlogs_properties_app_display_name_lower_values = values(Esql.azure_signinlogs_properties_app_display_name_lower),
-    Esql.source_ip_values = values(source.ip),
-    Esql.source_ip_count_distinct = count_distinct(source.ip),
-    Esql.source_as_organization_name_values = values(source.`as`.organization.name),
-    Esql.source_as_organization_name_count_distinct = count_distinct(source.`as`.organization.name),
-    Esql.source_geo_country_name_values = values(source.geo.country_name),
-    Esql.source_geo_country_name_count_distinct = count_distinct(source.geo.country_name),
-    Esql.@timestamp.min = min(@timestamp),
-    Esql.@timestamp.max = max(@timestamp),
-    Esql.event_count = count()
-by Esql.time_window_date_trunc
-
-| where Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct >= 15 and Esql.event_count >= 20
-
-| keep
-    Esql.time_window_date_trunc,
-    Esql.event_count,
-    Esql.@timestamp.min,
-    Esql.@timestamp.max,
-    Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct,
-    Esql_priv.azure_signinlogs_properties_user_principal_name_lower_values,
-    Esql.azure_signinlogs_result_description_count_distinct,
-    Esql.azure_signinlogs_result_description_values,
-    Esql.azure_signinlogs_properties_status_error_code_count_distinct,
-    Esql.azure_signinlogs_properties_status_error_code_values,
-    Esql.azure_signinlogs_properties_incoming_token_type_lower_values,
-    Esql.azure_signinlogs_properties_app_display_name_lower_values,
-    Esql.source_ip_values,
-    Esql.source_ip_count_distinct,
-    Esql.source_as_organization_name_values,
-    Esql.source_as_organization_name_count_distinct,
-    Esql.source_geo_country_name_values,
-    Esql.source_geo_country_name_count_distinct,
-    Esql.azure_signinlogs_properties_authentication_requirement_values,
-    Esql.azure_signinlogs_properties_app_id_values,
-    Esql.azure_signinlogs_properties_app_display_name_values,
-    Esql.azure_signinlogs_properties_resource_id_values,
-    Esql.azure_signinlogs_properties_resource_display_name_values,
-    Esql.azure_signinlogs_properties_conditional_access_status_values,
-    Esql.azure_signinlogs_properties_device_detail_browser_values,
-    Esql.azure_signinlogs_properties_device_detail_device_id_values,
-    Esql.azure_signinlogs_properties_device_detail_operating_system_values,
-    Esql.azure_signinlogs_properties_incoming_token_type_values,
-    Esql.azure_signinlogs_properties_risk_state_values,
-    Esql.azure_signinlogs_properties_session_id_values,
-    Esql.azure_signinlogs_properties_user_id_values,
-    Esql_priv.azure_signinlogs_properties_user_principal_name_values,
-    Esql.azure_signinlogs_result_description_values,
-    Esql.azure_signinlogs_result_signature_values,
-    Esql.azure_signinlogs_result_type_values
+event.dataset: "azure.signinlogs" and event.category: "authentication"
+    and azure.signinlogs.category: ("NonInteractiveUserSignInLogs" or "SignInLogs")
+    and event.outcome: "failure"
+    and azure.signinlogs.properties.authentication_requirement: "singleFactorAuthentication"
+    and azure.signinlogs.properties.status.error_code: 50053
+    and azure.signinlogs.properties.user_principal_name: (* and not "")
+    and not source.as.organization.name: "MICROSOFT-CORP-MSN-as-BLOCK"
 '''
 
+[rule.threshold]
+field = []
+value = 20
+
+[[rule.threshold.cardinality]]
+field = "user.name"
+value = 15
+
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
diff --git a/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml b/rules/integrations/okta/credential_access_multiple_user_agent_os_authentication.toml
@@ -0,0 +1,110 @@
+[metadata]
+creation_date = "2025/10/22"
+integration = ["okta"]
+maturity = "production"
+updated_date = "2025/10/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is
+highly anomalous because a device token is tied to a specific device and its operating system. This alert strongly
+indicates that an attacker has stolen a device token and is using it to impersonate a legitimate user from a
+different machine.
+"""
+false_positives = [
+    """
+    Applications will tag the operating system as null when the device is not recognized as a managed device. In
+    environments where users frequently switch between managed and unmanaged devices, this may lead to false positives.
+    """,
+]
+from = "now-60m"
+index = ["logs-okta.system-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Okta Multiple OS Names Detected for a Single DT Hash"
+note = """## Triage and analysis
+
+### Investigating Okta Multiple OS Names Detected for a Single DT Hash
+
+This rule detects when a single Okta device token hash (dt_hash) is associated with multiple operating system types. This is highly anomalous because a device token is tied to a specific device and its operating system. This alert strongly indicates that an attacker has stolen a device token token and is using it to impersonate a legitimate user from a different machine.
+
+### Possible investigation steps
+- Review the `okta.debug_context.debug_data.dt_hash` field to identify the specific device
+trust hash associated with multiple operating systems.
+- Examine the `user.email` field to determine which user account is associated with the suspicious activity
+- Analyze the `source.ip` field to identify the IP addresses from which the different operating systems were reported. Look for any unusual or unexpected locations.
+- Review the `user_agent.os.name` field to see the different operating systems reported for the
+same dt_hash. This will help identify the nature of the anomaly.
+- Check the `event.action` field to understand the context of the authentication events (e.g., MFA verification, standard authentication).
+- Investigate the timeline of events to see when the different operating systems were reported for the same dt_hash. Look for patterns or sequences that may indicate malicious activity.
+- Correlate this activity with other security events in your environment, such as failed login attempts, unusual access patterns, or alerts from endpoint security solutions.
+
+### False positive analysis
+- Applications will tag the operating system as null when the device is not recognized as a managed device
+- In environments where users frequently switch between managed and unmanaged devices, this may lead to false positives.
+
+### Response and remediation
+- Immediately investigate the user account associated with the suspicious activity to determine if it has been compromised.
+- If compromise is confirmed, reset the user's credentials and enforce multi-factor authentication (MFA)
+- Revoke any active sessions associated with the compromised account to prevent further unauthorized access.
+- Review and monitor the affected dt_hash for any further suspicious activity.
+- Educate users about the importance of device security and the risks associated with device tokens.
+- Implement additional monitoring for device token tokens and consider using conditional access policies to restrict access based on device compliance status.
+"""
+risk_score = 73
+rule_id = "fb3ca230-af4e-11f0-900d-f661ea17fbcc"
+severity = "high"
+tags = [
+    "Domain: Identity",
+    "Data Source: Okta",
+    "Data Source: Okta System Logs",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Resources: Investigation Guide"
+]
+timestamp_override = "event.ingested"
+type = "threshold"
+
+query = '''
+data_stream.dataset: "okta.system"
+    and not okta.debug_context.debug_data.dt_hash: "-"
+    and user_agent.os.name: *
+    and event.action: (
+        "user.authentication.verify" or
+        "user.authentication.auth_via_mfa"
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1539"
+name = "Steal Web Session Cookie"
+reference = "https://attack.mitre.org/techniques/T1539/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "okta.debug_context.debug_data.dt_hash",
+    "user.email",
+    "source.ip",
+    "user_agent.os.name",
+    "event.action",
+]
+
+[rule.threshold]
+field = ["okta.debug_context.debug_data.dt_hash"]
+value = 1
+[[rule.threshold.cardinality]]
+field = "user_agent.os.name"
+value = 2
+
+
