forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
defense_evasion_agent_spoofing_mismatched_id.toml
46 lines (41 loc) · 1.35 KB
/
defense_evasion_agent_spoofing_mismatched_id.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2024/05/31"
[rule]
author = ["Elastic"]
description = """
Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when
the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
attempts to spoof events in order to masquerade actual activity to evade detection.
"""
false_positives = [
"""
This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the
necessary field, resulting in false positives.
""",
]
from = "now-9m"
index = ["logs-*", "metrics-*", "traces-*"]
language = "kuery"
license = "Elastic License v2"
name = "Agent Spoofing - Mismatched Agent ID"
risk_score = 73
rule_id = "3115bd2c-0baa-4df0-80ea-45e474b5ef93"
severity = "high"
tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.agent_id_status:(agent_id_mismatch or mismatch)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"