Comments (3)
Feb 12, 2024
- Had a conversation with @Samirbous about the intention of this rule, the query logic, data source, tuning and more
- Regarding intention, it is looking for a network-based login, followed by a password reset
- Regarding logic, there are a couple of key factors to consider
- There is currently no way to determine if a user is remotely logged in or not, hence why this rule is sequenced by the computer name and the first sequence is a network login
not winlog.event_data.TargetUserName : ("svc*", "PIM_*", "_*_", "*-*-*", "*$")]
- This is an attempt to exclude any Windows or custom service accounts, which have varying differences. As shown in the query logic note, we expected this rule to be noisy as a result of custom service account naming conventions.
Potential Solutions:
- Disable the rule - If the rule is too inherently performance heavy and tuning with exceptions does not help, ultimately disable the rule
- Clone the rule and adjust logic - While rule mutability is not yet available, customers have the option to copy the rule, disable the old, and adjust the copy's logic. Alternatively, as stated in the query note, specific service accounts can be expliclity ignored to replace the global logic of when we are attempting to ignore
winlog.event_data.TargetUserName
While tuning is possible, we have thoroughly reviewed this query and the telemetry and determined that not many further adjustments can be made for the wildcard usage, nor the generic capturing of remote logins for the first sequence. Therefore, what we are attempting to filter on must remain, however, how we filter is up for discussion. We are unsure of the trade-offs in performance with regex vs wildcards or wildcards vs endswith (startswith), etc. If we could have a clear understanding on these differences in performance and their impact, it will help influence not only this tuning issue but how we approach rules, new and old, in general.
We have also noted that several other customers have this rule enabled and are receiving alerts as expected from telemetry without rule failure alerts. Thus we are choosing not to deprecate for a single customer and effect those currently with no issues.
from detection-rules.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from detection-rules.
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.
from detection-rules.
Related Issues (20)
- [New Rule] Process Backgrounded by Unusual Parent
- [New Rule] GTFOBin SUID Execution HOT 1
- [New Rule] Elastic Agent status not validated HOT 4
- [Rule Tuning] Attempt to Retrieve User Data from AWS EC2 Instance HOT 1
- [Rule Tuning] Suspicious Web Browser Sensitive File Access
- [Meta] Okta Detection Coverage for Cross-Origin Authentication Credential Stuffing
- [Rule Tuning] LSASS Memory Dump Creation HOT 2
- [FR][DAC] Consideration: Add Directory Support for Custom Schemas HOT 1
- [Rule Tuning] Statistical Model Detected C2 Beaconing Activity HOT 1
- [New Rule] Suspicious Okta Cross-Origin Authentication HOT 3
- [Bug] Impossible Query not flagging the impossible travel activity / Any suggestions? HOT 1
- [FR] Revisit Filter Schema for Removal or Extension
- [FR] Fix index map in packaging.py
- [Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation HOT 1
- [Meta] Add Auth0 Prebuilt Threat Detection Ruleset HOT 1
- [Bug] Update Index Check for Integration Packages HOT 1
- [FR] Add API auth to Kibana module
- [FR][DAC] Consideration: Add support for exceptions APIs in Kibana module
- [FR][DAC] Consideration: Add CLI commands for deprecate / disable rules HOT 1
- [Meta] EvilNoVNC Threat Detection Coverage Assessment
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from detection-rules.