forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
credential_access_ml_linux_anomalous_metadata_user.toml
48 lines (43 loc) · 1.56 KB
/
credential_access_ml_linux_anomalous_metadata_user.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
[metadata]
creation_date = "2020/09/22"
maturity = "production"
updated_date = "2023/03/06"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
[rule]
anomaly_threshold = 75
author = ["Elastic"]
description = """
Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be
targeted in order to harvest credentials or user data scripts containing secrets.
"""
false_positives = [
"""
A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection
rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.
""",
]
from = "now-45m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = ["v3_linux_rare_metadata_user"]
name = "Unusual Linux User Calling the Metadata Service"
risk_score = 21
rule_id = "1faec04b-d902-4f89-8aff-92cd9043c16f"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Credential Access"]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1552"
name = "Unsecured Credentials"
reference = "https://attack.mitre.org/techniques/T1552/"
[[rule.threat.technique.subtechnique]]
id = "T1552.005"
name = "Cloud Instance Metadata API"
reference = "https://attack.mitre.org/techniques/T1552/005/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"