## Config

The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

### Important Information Regarding Google Workspace Event Lag Times

- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.
- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.
- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.
- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).
- See the following references for further information.
  - https://support.google.com/a/answer/7061566
  - https://www.elastic.co/guide/en/beats/filebeat/7.12/filebeat-module-google_workspace.html

==== Rule query

event.dataset:(gsuite.admin or google_workspace.admin) and
event.provider:admin and event.category:iam and
event.action:ADD_APPLICATION

==== Rule version history

=== Attempt to Create Okta API Token

An adversary may create an Okta API token to maintain access to an organization’s network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts, or disabling security rules or policies.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives.

==== Investigation guide

The Okta Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:system.api_token.create

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Attempt to Deactivate MFA for an Okta User Account

Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:user.mfa.factor.deactivate

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Attempt to Deactivate an Okta Application

Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if your organization’s Okta applications are regularly deactivated and the behavior is expected.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and
event.action:application.lifecycle.deactivate

==== Rule version history

=== Attempt to Deactivate an Okta Network Zone

Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization’s security controls.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if your organization’s Okta network zones are regularly modified.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:zone.deactivate

==== Rule version history

=== Attempt to Deactivate an Okta Policy

Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization’s security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:policy.lifecycle.deactivate

==== Rule version history

=== Attempt to Deactivate an Okta Policy Rule

Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization’s security controls.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:policy.rule.deactivate

==== Rule version history

=== Attempt to Delete an Okta Application

Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if your organization’s Okta applications are regularly deleted and the behavior is expected.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and
event.action:application.lifecycle.delete

==== Rule version history

=== Attempt to Delete an Okta Network Zone

Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization’s security controls.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Oyour organization’s Okta network zones are regularly deleted.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:zone.delete

==== Rule version history

=== Attempt to Delete an Okta Policy

Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization’s security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:policy.lifecycle.delete

==== Rule version history

=== Attempt to Delete an Okta Policy Rule

Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization’s security controls.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:policy.rule.delete

==== Rule version history

=== Attempt to Disable Gatekeeper

Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that’s designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.args:(spctl and "--master-disable")

==== Threat mapping

Framework: MITRE ATT&CK^TM

=== Attempt to Disable IPTables or Firewall

Identifies attempts to disable ip tables or a firewall service, a technique adversaries can use to modify the network traffic hosts are allowed to send and receive.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 7 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:ufw and process.args:(allow or disable or reset) or
(((process.name:service and process.args:stop) or
(process.name:chkconfig and process.args:off) or
(process.name:systemctl and process.args:(disable or stop or kill)))
and process.args:(firewalld or ip6tables or iptables))

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Attempt to Disable Syslog Service

Identifies attempts to disable the syslog service, a technique adversaries can use to disrupt event logging and evade detection by security controls.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 7 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
((process.name:service and process.args:stop) or
(process.name:chkconfig and process.args:off) or
(process.name:systemctl and process.args:(disable or stop or kill)))
and process.args:(syslog or rsyslog or "syslog-ng")

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Attempt to Enable the Root Account

Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:dsenableroot and not process.args:"-d"

==== Threat mapping

Framework: MITRE ATT&CK^TM

=== Attempt to Install Root Certificate

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root’s chain of trust that have been signed by the root certificate.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Certain applications may install root certificates for the purpose of inspecting SSL traffic.

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:security and process.args:"add-trusted-cert"

==== Threat mapping

Framework: MITRE ATT&CK^TM

=== Attempt to Modify an Okta Application

Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization’s security controls or disrupt their business operations.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if your organization’s Okta applications are regularly modified and the behavior is expected.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and
event.action:application.lifecycle.update

==== Rule version history

=== Attempt to Modify an Okta Network Zone

Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization’s security controls.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Oyour organization’s Okta network zones are regularly modified.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:(zone.update or
network_zone.rule.disabled or zone.remove_blacklist)

==== Rule version history

=== Attempt to Modify an Okta Policy

Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization’s security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:policy.lifecycle.update

==== Rule version history

=== Attempt to Modify an Okta Policy Rule

Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization’s security controls.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:policy.rule.update

==== Rule version history

=== Attempt to Mount SMB Share via Command Line

Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.

Rule type: eql

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

process where event.type in ("start", "process_started") and (
process.name : "mount_smbfs" or (process.name : "open" and
process.args : "smb://*") or (process.name : "mount" and
process.args : "smbfs") or (process.name : "osascript" and
process.command_line : "osascript*mount volume*smb://*") )

==== Threat mapping

Framework: MITRE ATT&CK^TM

=== Attempt to Remove File Quarantine Attribute

Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple’s Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

process where event.type in ("start", "process_started") and
process.args : "xattr" and ( (process.args :
"com.apple.quarantine" and process.args : ("-d", "-w")) or
(process.args : "-c" and process.command_line : (
"/bin/bash -c xattr -c *", "/bin/zsh -c xattr -c *",
"/bin/sh -c xattr -c *" ) ) )

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Attempt to Reset MFA Factors for an Okta User Account

Detects attempts to reset an Okta user’s enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user’s account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim’s environment.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization.

==== Investigation guide

The Okta Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:user.mfa.factor.reset_all

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Attempt to Revoke Okta API Token

Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization’s business operations.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives.

==== Investigation guide

The Okta Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:system.api_token.revoke

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Attempt to Unload Elastic Endpoint Security Kernel Extension

Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:kextunload and
process.args:("/System/Library/Extensions/EndpointSecurity.kext" or
"EndpointSecurity.kext")

==== Threat mapping

Framework: MITRE ATT&CK^TM

=== Attempted Bypass of Okta MFA

An adversary may attempt to bypass the Okta multi-factor authentication (MFA) policies configured for an organization in order to obtain unauthorized access to an application. This rule detects when an Okta MFA bypass attempt occurs.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Okta Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:user.mfa.attempt_bypass

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Attempts to Brute Force a Microsoft 365 User Account

Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.

Rule type: threshold

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-30m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 2 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.

==== Investigation guide

The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:o365.audit and event.provider:AzureActiveDirectory and
event.category:authentication and event.action:UserLoginFailed and
event.outcome:failure

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Attempts to Brute Force an Okta User Account

Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.

Rule type: threshold

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-180m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Okta Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:okta.system and event.action:user.account.lock

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Auditd Login Attempt at Forbidden Time

Identifies that a login attempt occurred at a forbidden time.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.module:auditd and event.action:"attempted-log-in-during-unusual-
hour-to"

==== Threat mapping

Framework: MITRE ATT&CK^TM

=== Auditd Login from Forbidden Location

Identifies that a login attempt has happened from a forbidden location.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.module:auditd and event.action:"attempted-log-in-from-unusual-
place-to"

==== Threat mapping

Framework: MITRE ATT&CK^TM

=== Auditd Max Failed Login Attempts

Identifies that the maximum number of failed login attempts has been reached for a user.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.module:auditd and event.action:"failed-log-in-too-many-times-to"

==== Threat mapping

Framework: MITRE ATT&CK^TM

=== Auditd Max Login Sessions

Identifies that the maximum number login sessions has been reached for a user.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.module:auditd and event.action:"opened-too-many-sessions-to"

==== Threat mapping

Framework: MITRE ATT&CK^TM

=== Authorization Plugin Modification

Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:file and not event.type:deletion and
file.path:(/Library/Security/SecurityAgentPlugins/* and not /Library/S
ecurity/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*)

==== Threat mapping

Framework: MITRE ATT&CK^TM

=== Azure Active Directory High Risk Sign-in

Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft’s Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic, Willem D’Haese

Rule license: Elastic License v2

==== Investigation guide

The Azure Fleet Integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.signinlogs and
azure.signinlogs.properties.risk_level_during_signin:high and
event.outcome:(success or Success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

=== Azure Active Directory PowerShell Sign-in

Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Fleet Integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.signinlogs and
azure.signinlogs.properties.app_display_name:"Azure Active Directory
PowerShell" and azure.signinlogs.properties.token_issuer_type:AzureAD
and event.outcome:(success or Success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Application Credential Modification

Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Fleet Integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.auditlogs and
azure.auditlogs.operation_name:"Update application - Certificates and
secrets management" and event.outcome:(success or Success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Automation Account Created

Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target’s environment.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Automation Runbook Created or Modified

Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target’s environment.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and
azure.activitylogs.operation_name: (
"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE" or
"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE" or
"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION" )
and event.outcome:(Success or success)

==== Rule version history

=== Azure Automation Runbook Deleted

Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target’s automated business operations or to remove a malicious runbook that was used for persistence.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and
event.outcome:(Success or success)

==== Rule version history

=== Azure Automation Webhook Created

Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and
azure.activitylogs.operation_name: (
"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION" or
"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE" ) and
event.outcome:(Success or success)

==== Rule version history

=== Azure Blob Container Access Level Modification

Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Command Execution on Virtual Machine

Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Conditional Access Policy Modified

Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target’s security controls.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:(azure.activitylogs or azure.auditlogs) and (
azure.activitylogs.operation_name:"Update policy" or
azure.auditlogs.operation_name:"Update policy" ) and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Diagnostic Settings Deletion

Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Event Hub Authorization Rule Created or Updated

Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it’s recommended that you treat this rule like an administrative root account and don’t use it in your application.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Event Hub Deletion

Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure External Guest User Invitation

Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.auditlogs and
azure.auditlogs.operation_name:"Invite external user" and
azure.auditlogs.properties.target_resources.*.display_name:guest and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Firewall Policy Deletion

Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Global Administrator Role Addition to PIM User

Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.auditlogs and
azure.auditlogs.properties.category:RoleManagement and
azure.auditlogs.operation_name:("Add eligible member to role in PIM
completed (permanent)" or "Add member to role in PIM completed
(timebound)") and
azure.auditlogs.properties.target_resources.*.display_name:"Global
Administrator" and event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Key Vault Modified

Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and
azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE"
and event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Network Watcher Deletion

Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success
or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Privilege Identity Management Role Modified

Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target’s environment or modify a PIM role to weaken their target’s security controls.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.auditlogs and
azure.auditlogs.operation_name:"Update role setting in PIM" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Resource Group Deletion

Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Service Principal Addition

Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it’s always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

==== Investigation guide

The Azure Fleet Integration or Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add
service principal" and event.outcome:(success or Success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Azure Storage Account Key Regenerated

Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

It’s recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated.

==== Investigation guide

The Azure Filebeat module must be enabled to use this rule.

==== Rule query

event.dataset:azure.activitylogs and azure.activitylogs.operation_name
:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and
event.outcome:(Success or success)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Base16 or Base32 Encoding/Decoding Activity

Identifies attempts to encode and decode data, a technique adversaries can use to evade detection by host- or network-based security controls.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 7 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values.

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:(base16 or base32 or base32plain or base32hex)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Base64 Encoding/Decoding Activity

Identifies attempts to encode and decode data, a technique adversaries can use to evade detection by host- or network-based security controls.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 7 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values.

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:(base64 or base64plain or base64url or base64mime or
base64pem)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Bash Shell Profile Modification

Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user’s context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell.

Rule type: query

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required.

==== Rule query

event.category:file and event.type:change and process.name:(* and not
(sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or
login or cat or cp or launchctl or java)) and not
process.executable:(/Applications/* or /private/var/folders/* or
/usr/local/*) and file.path:(/private/etc/rc.local or /etc/rc.local or
/home/*/.profile or /home/*/.profile1 or /home/*/.bash_profile or
/home/*/.bash_profile1 or /home/*/.bashrc or /Users/*/.bash_profile or
/Users/*/.zshenv)

==== Threat mapping

Framework: MITRE ATT&CK^TM

=== Bypass UAC via Event Viewer

Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 7 (version history)

Added (Elastic Stack release): 7.7.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.parent.name:eventvwr.exe and not
process.executable:("C:\Windows\SysWOW64\mmc.exe" or
"C:\Windows\System32\mmc.exe")

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Clearing Windows Event Logs

Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.

Rule type: query

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 8 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(process_started or start) and
(process.name:"wevtutil.exe" or
process.pe.original_file_name:"wevtutil.exe") and
process.args:("/e:false" or cl or "clear-log") or
process.name:"powershell.exe" and process.args:"Clear-EventLog"

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Cobalt Strike Command and Control Beacon

Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 4 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected.

==== Investigation guide

This activity has been observed in FIN7 campaigns.

==== Rule query

event.category:(network OR network_traffic) AND type:(tls OR http) AND
network.transport:tcp AND
destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Command Execution via SolarWinds Process

A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Trusted SolarWinds child processes. Verify process details such as network connections and file writes.

==== Rule query

process where event.type in ("start", "process_started") and
process.name: ("cmd.exe", "powershell.exe") and process.parent.name: (
"ConfigurationWizard*.exe", "NetflowDatabaseMaintenance*.exe",
"NetFlowService*.exe", "SolarWinds.Administration*.exe",
"SolarWinds.Collector.Service*.exe", "SolarwindsDiagnostics*.exe"
)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Command Prompt Network Connection

Identifies cmd.exe making a network connection. Adversaries can abuse cmd.exe to download or execute malware from a remote URL.

Rule type: eql

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 6 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Administrators may use the command prompt for regular administrative tasks. It’s important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool.

==== Rule query

sequence by process.entity_id [process where process.name :
"cmd.exe" and event.type == "start"] [network where process.name :
"cmd.exe" and not cidrmatch(destination.ip, "10.0.0.0/8",
"172.16.0.0/12", "192.168.0.0/16")]

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Command Shell Activity Started via RunDLL32

Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.

Rule type: eql

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

process where event.type in ("start", "process_started") and
process.name : ("cmd.exe", "powershell.exe") and process.parent.name
: "rundll32.exe" and /* common FPs can be added here */ not
process.parent.args :
"C:\\Windows\\System32\\SHELL32.dll,RunAsNewUser_RunDLL"

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Component Object Model Hijacking

Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

registry where /* uncomment once length is stable
length(bytes_written_string) > 0 and */ (registry.path :
"HK*}\\InprocServer32\\" and registry.data.strings: ("scrobj.dll",
"C:\\*\\scrobj.dll") and not registry.path :
"*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") or /* in general
COM Registry changes on Users Hive is less noisy and worth alerting */
(registry.path : ("HKEY_USERS\\*Classes\\*\\InprocXServer32\\",
"HKEY_USERS\\*Classes\\*\\LocalServer32\\",
"HKEY_USERS\\*Classes\\*\\DelegateExecute\\",
"HKEY_USERS\\*Classes\\*\\TreatAs\\",
"HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and /* not
necessary but good for filtering privileged installations */
user.domain != "NT AUTHORITY")

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Conhost Spawned By Suspicious Parent Process

Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.

Rule type: query

Rule indices:

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

event.category:process and event.type:(start or process_started) and
process.name:conhost.exe and process.parent.name:(svchost.exe or
lsass.exe or services.exe or smss.exe or winlogon.exe or explorer.exe
or dllhost.exe or rundll32.exe or regsvr32.exe or userinit.exe or
wininit.exe or spoolsv.exe or wermgr.exe or csrss.exe or ctfmon.exe)

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Connection to Commonly Abused Free SSL Certificate Providers

Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.

Rule type: eql

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

network where network.protocol == "dns" and /* Add new free SSL
certificate provider domains here */ dns.question.name :
("*letsencrypt.org", "*.sslforfree.com", "*.zerossl.com",
"*.freessl.org") and /* Native Windows process paths that are
unlikely to have network connections to domains secured using free SSL
certificates */ process.executable :
("C:\\Windows\\System32\\*.exe",
"C:\\Windows\\System\\*.exe",
"C:\\Windows\\SysWOW64\\*.exe",
"C:\\Windows\\Microsoft.NET\\Framework*\\*.exe",
"C:\\Windows\\explorer.exe",
"C:\\Windows\\notepad.exe") and /* Insert noisy false positives
here */ not process.name : ("svchost.exe", "MicrosoftEdge*.exe",
"msedge.exe")

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Connection to Commonly Abused Web Services

Adversaries may implement command and control communications that use common web services in order to hide their activity. This attack technique is typically targeted to an organization and uses web services common to the victim network which allows the adversary to blend into legitimate traffic. activity. These popular services are typically targeted since they have most likely been used before a compromise and allow adversaries to blend in the network.

Rule type: eql

Rule indices:

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Rule query

network where network.protocol == "dns" and /* Add new WebSvc
domains here */ dns.question.name : (
"*.githubusercontent.*", "*.pastebin.*",
"*drive.google.*", "*docs.live.*",
"*api.dropboxapi.*", "*dropboxusercontent.*",
"*onedrive.*", "*4shared.*", "*.file.io",
"*filebin.net", "*slack-files.com", "*ghostbin.*",
"*ngrok.*", "*portmap.*", "*serveo.net",
"*localtunnel.me", "*pagekite.me", "*localxpose.io",
"*notabug.org" ) and /* Insert noisy false positives here */
not process.name : ( "MicrosoftEdgeCP.exe",
"MicrosoftEdge.exe", "iexplore.exe", "chrome.exe",
"msedge.exe", "opera.exe", "firefox.exe",
"Dropbox.exe", "slack.exe", "svchost.exe",
"thunderbird.exe", "outlook.exe", "OneDrive.exe" )

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Connection to External Network via Telnet

Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 5 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious.

==== Rule query

sequence by process.entity_id [process where process.name ==
"telnet" and event.type == "start"] [network where process.name ==
"telnet" and not cidrmatch(destination.ip, "127.0.0.0/8",
"10.0.0.0/8", "172.16.0.0/12",
"192.168.0.0/16", "FE80::/10", "::1/128")]

==== Threat mapping

Framework: MITRE ATT&CK^TM

==== Rule version history

=== Connection to Internal Network via Telnet

Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Version: 5 (version history)

Added (Elastic Stack release): 7.8.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

==== Potential false positives

Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious.

==== Rule query

sequence by process.entity_id [process where process.name ==
"telnet" and event.type == "start"] [network where process.name ==
"telnet" and cidrmatch(destination.ip, "10.0.0.0/8",
"172.16.0.0/12", "192.168.0.0/16", "FE80::/10") and not
cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")]

==== Threat mapping

Framework: MITRE ATT&CK^TM