Tool
Hunt pack: Play
990 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Play - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 990google_workspace_external_user_added_to_group
Identifies when an external user account is added to a group in Google Workspace. Security teams can monitor for unexpected user accounts being added to Google Workspace groups to prevent unauthorized access to data.
Show query
rule google_workspace_external_user_added_to_group {
meta:
author = "Google Cloud Security"
description = "Identifies when an external user account is added to a group in Google Workspace. Security teams can monitor for unexpected user accounts being added to Google Workspace groups to prevent unauthorized access to data."
rule_id = "mr_c64af222-e029-4add-ac9c-b9285c5eb135"
rule_name = "Google Workspace External User Added To Group"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Workspace Activity"
severity = "Medium"
priority = "Medium"
events:
$ws.metadata.vendor_name = "Google Workspace"
$ws.metadata.product_name = "admin"
$ws.metadata.event_type = "GROUP_MODIFICATION"
$ws.metadata.product_event_type = "ADD_GROUP_MEMBER"
$group_domain = re.capture($ws.target.group.email_addresses, `@[a-zA-Z0-9\.]*`)
$user_domain = re.capture($ws.src.user.email_addresses, `@[a-zA-Z0-9\.]*`)
$group_domain != $user_domain
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$mitre_attack_technique_id = "T1078.004"
$event_count = count_distinct($ws.metadata.id)
$target_group_domain = $group_domain
$src_user_domain = $user_domain
$target_group_emails = array_distinct($ws.target.group.email_addresses)
$src_user_emails = array_distinct($ws.src.user.email_addresses)
$principal_ip = array_distinct($ws.principal.ip)
$principal_country = array_distinct($ws.principal.ip_geo_artifact.location.country_or_region)
$principal_state = array_distinct($ws.principal.ip_geo_artifact.location.state)
$principal_user_emails = array_distinct($ws.principal.user.email_addresses)
$principal_user_id = $ws.principal.user.userid
condition:
$ws
}google_workspace_malicious_file_downloaded
Identifies when a user downloads a potentially malicious file from Google Drive.
Show query
rule google_workspace_malicious_file_downloaded {
meta:
author = "Google Cloud Security"
description = "Identifies when a user downloads a potentially malicious file from Google Drive."
rule_id = "mr_72af4504-955b-4c61-9071-bb767c9bae88"
rule_name = "Google Workspace Malicious File Downloaded"
mitre_attack_tactic = "Execution"
mitre_attack_technique = "User Execution: Malicious File"
mitre_attack_url = "https://attack.mitre.org/techniques/T1204/002/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Workspace Activity"
severity = "Medium"
priority = "Medium"
events:
$ws.metadata.vendor_name = "Google Workspace"
$ws.metadata.product_name = "drive"
($ws.metadata.product_event_type = "download" or
$ws.metadata.product_event_type = "view" or
$ws.metadata.product_event_type = "copy")
($ws.target.resource.attribute.labels["visibility"] = "people_with_link" or
$ws.target.resource.attribute.labels["visibility"] = "public_on_the_web")
$ws.target.resource.name = /.*\.dll|.*\.exe|.*\.scr|.*\.jar|.*\.pif|.*\.app|.*\.dmg|.*\.pkg|.*\.elf|.*\.so|.*\.bin|.*\.deb|.*\.rpm|.*\.sh|.*\.hta|.*\.lnk/
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Execution"
$mitre_attack_technique = "User Execution: Malicious File"
$mitre_attack_technique_id = "T1204.002"
$event_count = count_distinct($ws.metadata.id)
$product_event_type = $ws.metadata.product_event_type
$userid = $ws.principal.user.userid
$doc_type = $ws.src.resource.attribute.labels["doc_type"]
$owner = $ws.target.resource.attribute.labels["owner"]
$doc_name = $ws.target.resource.name
//$doc_id = $ws.target.resource.product_object_id
condition:
$ws
}google_workspace_user_unsuspended
Identifies when a user account is unsuspended in Google Workspace.
Show query
rule google_workspace_user_unsuspended {
meta:
author = "Google Cloud Security"
description = "Identifies when a user account is unsuspended in Google Workspace."
rule_id = "mr_6bf3e4c9-b380-4562-9aa8-6416a9126ee1"
rule_name = "Google Workspace User Unsuspended"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Workspace Activity"
severity = "Medium"
priority = "Medium"
events:
$ws.metadata.vendor_name = "Google Workspace"
$ws.metadata.product_name = "admin"
$ws.metadata.product_event_type = "UNSUSPEND_USER"
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$mitre_attack_technique_id = "T1078.004"
$event_count = count_distinct($ws.metadata.id)
$principal_ip = array_distinct($ws.principal.ip)
$principal_country = array_distinct($ws.principal.ip_geo_artifact.location.country_or_region)
$principal_state = array_distinct($ws.principal.ip_geo_artifact.location.state)
$principal_user_emails = array_distinct($ws.principal.user.email_addresses)
$target_user_emails = array_distinct($ws.target.user.email_addresses)
$principal_user_id = $ws.principal.user.userid
condition:
$ws
}logins_from_terminated_employees
Allowed Logins from Terminated Employees
Show query
rule logins_from_terminated_employees {
meta:
author = "Google Cloud Security"
description = "Allowed Logins from Terminated Employees"
rule_id = "mr_69178541-285b-45cb-b723-e2b5d88f22d3"
rule_name = "Logins From Terminated Employees"
assumptions = "This rule requires a context data source such as AzureAD AD Context or Workday to demonstrate the correlation of context logs with event logs"
type = "alert"
tags = "user enrichment"
data_source = "microsoft windows events"
tactic = "TA0001"
technique = "T1078"
severity = "Medium"
priority = "Medium"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.security_result.action = "ALLOW"
$login.target.user.userid = $user
$login.target.user.termination_date.seconds > 0
$login.target.user.termination_date.seconds < $login.metadata.event_timestamp.seconds
match:
$user over 1d
outcome:
$risk_score = 65
$event_count = count_distinct($login.metadata.id)
$employee_last_login = max($login.target.user.termination_date.seconds)
$total_distinct_ips = count_distinct($login.principal.ip)
// added to populate alert graph with additional context
$principal_hostname = array_distinct($login.principal.hostname)
$target_hostname = array_distinct($login.target.hostname)
$principal_user_userid = array_distinct($login.principal.user.userid)
// Commented out target.user.userid because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$target_user_userid = array_distinct($login.target.user.userid)
$principal_resource_name = array_distinct($login.principal.resource.name)
$target_resource_name = array_distinct($login.target.resource.name)
$target_url = array_distinct($login.target.url)
condition:
$login
}o365_ADPowerShell_app_login_subsequent_activity
Once a user authenticates to the Azure AD PowerShell application, if they take multiple admin actions indicative of establishing their own persistence with an Entra ID application within a portion of the access token time, alert for additional investigation
Show query
rule o365_ADPowerShell_app_login_subsequent_activity {
meta:
author = "Google Cloud Security"
description = "Once a user authenticates to the Azure AD PowerShell application, if they take multiple admin actions indicative of establishing their own persistence with an Entra ID application within a portion of the access token time, alert for additional investigation"
rule_id = "mr_2d781f34-05f3-43aa-b5ec-257c03787a66"
rule_name = "O365 AD PowerShell App Login Subsequent Activity"
assumption = "This does not take into account attempts that were blocked, just any logging of attempts for any of these actions"
tactic = "TA0003"
technique = "T1098.001"
type = "alert"
platform = "azure"
data_source = "o365"
severity = "Medium"
priority = "Medium"
events:
(
$login.metadata.event_type = "USER_LOGIN" and
$login.metadata.product_event_type = "UserLoggedIn" and
$login.metadata.product_name = "Office 365" and
$login.metadata.vendor_name = "Microsoft" and
$login.target.resource.product_object_id = "1b730954-1685-4b74-9bfd-dac224a7b894" and
$login.security_result.action = "ALLOW"
)
$login.target.user.userid = $userid
$login.metadata.event_timestamp.seconds < $other.metadata.event_timestamp.seconds
(
(
$other.metadata.event_type = "USER_RESOURCE_CREATION" and
$other.metadata.product_event_type = "Add application." and
$other.metadata.product_name = "Office 365" and
$other.metadata.vendor_name = "Microsoft"
)
or
(
$other.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT" and
$other.metadata.product_event_type = "Update application." and
$other.metadata.product_name = "Office 365" and
$other.metadata.vendor_name = "Microsoft"
)
or
(
$other.metadata.event_type = "USER_RESOURCE_UPDATE_PERMISSIONS" and
$other.metadata.product_event_type = "Add delegated permission grant." and
$other.metadata.product_name = "Office 365" and
$other.metadata.vendor_name = "Microsoft"
)
or
(
$other.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT" and
$other.metadata.product_event_type = /Update application.*Certificates and secrets management/ nocase and
$other.metadata.product_name = "Office 365" and
$other.metadata.vendor_name = "Microsoft"
)
)
$other.principal.user.userid = $userid
$other.metadata.product_event_type = $other_event
match:
$userid over 90m
outcome:
$risk_score = max(if($other.metadata.product_event_type = "Add application.", 10, 0) +
if($other.metadata.product_event_type = "Update application.", 10, 0) +
if($other.metadata.product_event_type = "Add delegated permission grant.", 10, 0) +
if($other.metadata.product_event_type = /Update application.*Certificates and secrets management/ nocase, 55, 0))
$subsequent_action_threshold = 1
$product_event_type = array_distinct($other.metadata.product_event_type)
$country_region_login_attempt = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
//added to populate alert graph with additional context
$principal_ip = array_distinct($login.principal.ip)
//$principal_user_userid = array_distinct($other.principal.user.userid)
$target_resource_name = array_distinct($other.target.resource.name)
condition:
$login and #other_event > 0
}o365_add_user_to_admin_role
Adding users to administrative roles is not malicious, but due to the sensitivity of certain roles, validation should occur when this occurs
Show query
rule o365_add_user_to_admin_role {
meta:
author = "Google Cloud Security"
description = "Adding users to administrative roles is not malicious, but due to the sensitivity of certain roles, validation should occur when this occurs"
rule_id = "mr_ee28c257-d2c7-490c-addf-aef35d07f29d"
rule_name = "O365 Add User To Admin Role"
assumption = "The list msgraph_watchlist_roles is populated with role names, example: Application Administrator"
mitre_attack_tactic = "TA0003"
mitre_attack_technique = "T1098.003"
type = "alert"
platform = "azure"
data_source = "o365"
severity = "Medium"
priority = "Medium"
events:
$app.metadata.event_type = "USER_UNCATEGORIZED"
$app.metadata.product_event_type = "Add member to role."
$app.metadata.product_name = "Office 365"
$app.metadata.vendor_name = "Microsoft"
$app.security_result.action = "ALLOW"
$app.target.resource.attribute.roles.name in %msgraph_watchlist_roles
$app.principal.user.userid = $userid
match:
$userid over 5m
outcome:
$risk_score = 65
$event_count = count_distinct($app.metadata.id)
$security_summary = array_distinct($app.security_result.summary)
$user_agent = array_distinct($app.network.http.user_agent)
$assigned_role = array_distinct($app.target.resource.attribute.roles.name)
//added to populate alert graph with additional context
//$principal_user_userid = array_distinct($app.principal.user.userid)
$target_user_userid = array_distinct($app.target.user.userid)
condition:
$app
}o365_entra_id_client_secret_add_update_delete_in_app
Secrets added to applications have legitimate purposes, but can also be a method of persistence. This alert will trigger on creation, modification or delete of a client secret
Show query
rule o365_entra_id_client_secret_add_update_delete_in_app {
meta:
author = "Google Cloud Security"
description = "Secrets added to applications have legitimate purposes, but can also be a method of persistence. This alert will trigger on creation, modification or delete of a client secret"
rule_id = "mr_24ac7907-9d86-4089-901c-61f8ff1e7730"
rule_name = "O365 Entra ID App Client Secret Added, Updated or Deleted"
tactic = "TA0003"
technique = "T1098.001"
type = "alert"
platform = "azure"
data_source = "o365"
severity = "Medium"
priority = "Medium"
events:
$app.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT"
$app.metadata.product_name = "Office 365"
$app.metadata.product_event_type = /Update application.*Certificates and secrets management/
$app.metadata.vendor_name = "Microsoft"
$app.security_result.action = "ALLOW"
$app.principal.user.userid = $userid
match:
$userid over 5m
outcome:
$risk_score = 65
$event_count = count_distinct($app.metadata.id)
$security_summary = array_distinct($app.security_result.summary)
$user_agent = array_distinct($app.network.http.user_agent)
$target_entra_id_application = array_distinct(re.capture($app.network.http.user_agent,`\"AppId\":\"(.*)`))
//added to populate alert graph with additional context
$principal_user_userid = array_distinct($app.principal.user.userid)
condition:
$app
}o365_login_activity_to_azure_ad_powershell_app
Logins to Azure AD PowerShell app can have legitimate purposes, but are also abused to gain access to user information. Programmatic access to Entra ID (Azure AD) should generally be through apps, so reviewing these activities is needed.
Show query
rule o365_login_activity_to_azure_ad_powershell_app {
meta:
author = "Google Cloud Security"
description = "Logins to Azure AD PowerShell app can have legitimate purposes, but are also abused to gain access to user information. Programmatic access to Entra ID (Azure AD) should generally be through apps, so reviewing these activities is needed."
rule_id = "mr_0cc56eaf-4176-444d-874d-9780bbb29d4f"
rule_name = "O365 Login Activity To Azure AD PowerShell App"
tactic = "TA0001"
technique = "T1078.004"
type = "hunt"
platform = "azure"
data_source = "o365"
severity = "Medium"
priority = "Medium"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_event_type = "UserLoggedIn"
$login.metadata.product_name = "Office 365"
$login.metadata.vendor_name = "Microsoft"
$login.target.resource.product_object_id = "1b730954-1685-4b74-9bfd-dac224a7b894"
$login.security_result.action = "ALLOW"
// Below filters ADFS Sync Account that runs every 30 minutes between AD and Entra ID (for federated environments); can use display name or email address
//$login.target.user.userid != "insert your email address here" and
//$login.target.user.user_display_name != "On-Premises Directory Synchronization Service Account"
$login.target.user.userid = $userid
match:
$userid over 5m
outcome:
$risk_score = 65
$event_count = count_distinct($login.metadata.id)
$security_summary = array_distinct($login.security_result.summary)
$user_agent = array_distinct($login.network.http.user_agent)
$country_region_login_attempt = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
//added to populate alert graph with additional context
$principal_ip = array_distinct($login.principal.ip)
$target_user_userid = array_distinct($login.target.user.userid)
condition:
$login
}o365_login_activity_to_uncommon_mscloud_apps
This rule detects O365 login activity to apps other than a defined list of first party MS Cloud Apps. Note that Azure Active Directory PowerShell and custom Azure apps are not in this list by default
Show query
rule o365_login_activity_to_uncommon_mscloud_apps {
meta:
author = "Google Cloud Security"
description = "This rule detects O365 login activity to apps other than a defined list of first party MS Cloud Apps. Note that Azure Active Directory PowerShell and custom Azure apps are not in this list by default"
rule_id = "mr_eca0cd3d-7d65-47f6-9df2-1a16664819ae"
rule_name = "O365 Login Activity To Uncommon Microsoft Cloud Apps"
assumption = "The list first_party_ms_cloud_apps is populated as needed"
tactic = "TA0001"
technique = "T1078.004"
reference = "https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in"
type = "alert"
platform = "azure"
data_source = "o365"
severity = "Medium"
priority = "Medium"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_event_type = "UserLoggedIn"
$login.metadata.product_name = "Office 365"
NOT $login.target.resource.product_object_id in %first_party_ms_cloud_apps
/* Additional AppIds that are not in this list but have appeared benign during testing include the following:
7eadcef8-456d-4611-9480-4fff72b8b9e2 Microsoft Account Controls V2
8e0e8db5-b713-4e91-98e6-470fed0aa4c2 Microsoft Azure Signup Portal
f9818e52-50bd-463e-8932-a1650bd3fad2 MSAL Configuration
There are additional lists on GitHub that are compiled that would be added for additional tuning as needed
*/
$login.metadata.vendor_name = "Microsoft"
$login.security_result.action = "ALLOW"
$login.target.user.userid = $userid
//If you are using ADFS, you may want to consider something like this to filter out Synchronization Login Traffic - Your userid will be different
$login.target.user.userid != /Sync_/ nocase
match:
$userid over 5m
outcome:
$risk_score = 65
$event_count = count_distinct($login.metadata.id)
$target_application = array_distinct($login.target.resource.product_object_id)
$security_summary = array_distinct($login.security_result.summary)
$user_agent = array_distinct($login.network.http.user_agent)
$country_region_login_attempt = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
//added to populate alert graph with additional context
$principal_ip = array_distinct($login.principal.ip)
$target_user_userid = array_distinct($login.target.user.userid)
condition:
$login
}o365_recently_created_entra_id_user_assigned_roles
Detects when a user is created in Entra ID and assigned roles within a defined time window.
Show query
rule o365_recently_created_entra_id_user_assigned_roles {
meta:
author = "Google Cloud Security"
description = "Detects when a user is created in Entra ID and assigned roles within a defined time window."
rule_id = "mr_c0406a96-4ed1-4dd2-9629-aa5a2c881222"
rule_name = "O365 Recently Created Entra ID User Assigned Roles"
tactic = "TA0003"
technique = "T1098.003"
assumption = "The list msgraph_watchlist_roles is populated with role names, ie Application Administrator"
type = "alert"
platform = "azure"
data_source = "o365"
severity = "Medium"
priority = "Medium"
events:
(
$create.metadata.event_type = "USER_CREATION" and
$create.metadata.product_event_type = "Add user." and
$create.metadata.product_name = "Office 365" and
$create.security_result.action = "ALLOW" and
$create.target.user.userid = $userid
)
$create.metadata.event_timestamp.seconds < $role.metadata.event_timestamp.seconds
(
$role.metadata.event_type = "USER_UNCATEGORIZED" and
$role.metadata.product_event_type = "Add member to role." and
$role.metadata.product_name = "Office 365" and
$role.security_result.action = "ALLOW" and
//The reference list msgraph_watchlist_roles matches on the role name. List contents example row: Global Administrator //manage all aspects of Azure AD and Microsoft services that use Azure AD identities 62e90394-69f5-4237-9190-012177145e10
//If you wanted to detect on specific roles, they could be added to a reference list and the following line uncommented
//$role.target.resource.attribute.roles.name in %msgraph_watchlist_roles and
$role.target.user.userid = $userid
)
match:
$userid over 90m
outcome:
$risk_score = max(if($role.target.resource.attribute.roles.name = /Administrator/ nocase, 85, 35))
$security_summary = array_distinct($role.security_result.summary)
$user_agent = array_distinct($role.network.http.user_agent)
$assigned_role = array_distinct($role.target.resource.attribute.roles.name)
//added to populate alert graph with additional context
$principal_user_userid = array_distinct($create.principal.user.userid)
$target_user_userid = array_distinct($create.target.user.userid)
condition:
$create and $role
}okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip
Detects multiple user logins with invalid credentials from a single IP.
Show query
rule okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip {
meta:
author = "Google Cloud Security"
description = "Detects multiple user logins with invalid credentials from a single IP."
rule_id = "mr_09e08430-0704-4411-b3a1-29d05bcd4e13"
rule_name = "Okta Multiple User's Logins With Invalid Credentials From The Same IP"
reference = "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Okta"
severity = "Medium"
priority = "Medium"
events:
$login.metadata.product_name = "Okta"
$login.metadata.vendor_name = "Okta"
$login.metadata.event_type = "USER_LOGIN"
$login.security_result.action = "BLOCK"
$login.security_result.category_details = "INVALID_CREDENTIALS"
$login.principal.ip = $ip
match:
$ip over 1h
outcome:
$risk_score = max(
// If the IP Address is marked as suspicious IP address by Okta ThreatInsight
if($login.security_result.detection_fields["threatSuspected"] = "true", 30) +
// Based on Okta Behavior Detection pattern analysis
if($login.security_result.description = /New Geo-Location=POSITIVE/, 10) +
if($login.security_result.description = /New Device=POSITIVE/, 20) +
if($login.security_result.description = /New IP=POSITIVE/, 5) +
if($login.security_result.description = /New City=POSITIVE/, 5) +
if($login.security_result.description = /New State=POSITIVE/, 10) +
if($login.security_result.description = /New Country=POSITIVE/, 10) +
if($login.security_result.description = /Velocity=POSITIVE/, 10) +
// Unauthorized target geographies
if($login.target.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($login.target.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($login.target.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($login.target.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($login.target.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts"
$target_user_agent = array_distinct($login.network.http.user_agent)
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($login.principal.location.city)
$security_result_summary = array_distinct($login.security_result.summary)
$principal_user_managers_email_addresses = array_distinct($login.principal.user.managers.email_addresses)
$principal_user_userid = array_distinct($login.principal.user.userid)
$dc_principal_user_userid = count_distinct($login.principal.user.userid)
$target_user_email_addresses = array_distinct($login.target.user.email_addresses)
$target_user_userid = array_distinct($login.target.user.userid)
$security_result_description = array_distinct($login.security_result.description)
condition:
$login and $dc_principal_user_userid > 5
}okta_new_api_token_created
Detects when a new API token is created.
Show query
rule okta_new_api_token_created {
meta:
author = "Google Cloud Security"
description = "Detects when a new API token is created."
rule_id = "mr_beca4f13-9526-4095-ab77-f0fc0610200c"
rule_name = "Okta New API Token Created"
reference = "https://developer.okta.com/docs/guides/tokens/"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Okta"
severity = "Medium"
priority = "Medium"
events:
$token.metadata.product_name = "Okta"
$token.metadata.vendor_name = "Okta"
$token.metadata.product_event_type = "system.api_token.create"
$token.security_result.summary = "Create API token"
$token.security_result.action = "ALLOW"
$token.principal.user.userid = $userid
match:
$userid over 1h
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts"
$target_user_agent = array_distinct($token.network.http.user_agent)
$principal_ip = array_distinct($token.principal.ip)
$principal_ip_country = array_distinct($token.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($token.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($token.principal.location.city)
$principal_user_email_addresses = array_distinct ($token.principal.user.email_addresses)
$security_result_summary = array_distinct($token.security_result.summary)
condition:
$token
}okta_successful_high_risk_user_logins
Detects successfully authenticated user logins based on Okta's Behavior Detection pattern analysis.
Show query
rule okta_successful_high_risk_user_logins {
meta:
author = "Google Cloud Security"
description = "Detects successfully authenticated user logins based on Okta's Behavior Detection pattern analysis."
rule_id = "mr_ef123f09-f2ae-4d29-bb69-896d708f6a27"
rule_name = "Okta Successful High Risk User Logins"
reference = "https://help.okta.com/en-us/Content/Topics/Security/behavior-detection/logs-behavior-detection.htm"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
mitre_attack_version = "v13.1"
type = "Hunt"
false_positives = "This rule causes False Positives if the user is a net new user."
data_source = "Okta"
severity = "Medium"
priority = "Medium"
events:
$login.metadata.product_name = "Okta"
$login.metadata.vendor_name = "Okta"
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_event_type = "user.session.start"
$login.security_result.summary = "User login to Okta"
$login.security_result.action = "ALLOW"
$login.principal.user.userid = $userid
// Detect only for existing users and not net new users
$first_seen.graph.metadata.entity_type = "USER"
$first_seen.graph.entity.user.first_seen_time.seconds < $login.metadata.event_timestamp.seconds
$first_seen.graph.entity.user.userid = $userid
match:
$userid over 5m
outcome:
$risk_score = max(
// Based on Okta's Behavior Detection pattern analysis
if($login.security_result.description = /New Geo-Location=POSITIVE/, 10) +
if($login.security_result.description = /New Device=POSITIVE/, 20) +
if($login.security_result.description = /New IP=POSITIVE/, 5) +
if($login.security_result.description = /New City=POSITIVE/, 5) +
if($login.security_result.description = /New State=POSITIVE/, 10) +
if($login.security_result.description = /New Country=POSITIVE/, 10) +
if($login.security_result.description = /Velocity=POSITIVE/, 10) +
// Unauthorized target geographies
if($login.principal.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts"
$target_user_agent = array_distinct($login.network.http.user_agent)
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($login.principal.location.city)
$security_result_summary = array_distinct($login.security_result.summary)
$principal_user_managers_email_addresses = array_distinct($login.principal.user.managers.email_addresses)
$principal_user_userid = array_distinct($login.principal.user.userid)
$target_user_email_addresses = array_distinct($login.target.user.email_addresses)
$target_user_userid = array_distinct($login.target.user.userid)
$security_result_description = array_distinct($login.security_result.description)
condition:
$login and $first_seen and $risk_score >= 50
}okta_user_account_lockout
Detects when a user's account is locked out or a user account has reached the lockout limit.
Show query
rule okta_user_account_lockout {
meta:
author = "Google Cloud Security"
description = "Detects when a user's account is locked out or a user account has reached the lockout limit."
rule_id = "mr_b7d1d908-77db-4217-a170-44e0423c7fbe"
rule_name = "Okta User Account Lockout"
reference = "https://www.okta.com/resources/whitepaper/how-adaptive-mfa-helps-mitigate-brute-force-attacks/"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Okta"
severity = "Medium"
priority = "Medium"
events:
$login.metadata.product_name = "Okta"
$login.metadata.vendor_name = "Okta"
(
$login.metadata.product_event_type = "user.account.lock.limit" or
$login.metadata.product_event_type = "user.account.lock"
)
$login.security_result.action = "BLOCK"
$login.principal.user.userid = $userid
match:
$userid over 1h
outcome:
$risk_score = max(35)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts"
$target_user_agent = array_distinct($login.network.http.user_agent)
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($login.principal.location.city)
$principal_user_email_addresses = array_distinct ($login.principal.user.email_addresses)
$security_result_summary = array_distinct($login.security_result.summary)
$security_result_category_details = array_distinct($login.security_result.category_details)
condition:
$login
}okta_user_logins_from_multiple_cities
Detects user logins for same user from different cities within 24 hours.
Show query
rule okta_user_logins_from_multiple_cities {
meta:
author = "Google Cloud Security"
description = "Detects user logins for same user from different cities within 24 hours."
rule_id = "mr_b607de8a-7988-4f4f-8ecf-e8754de6bbae"
rule_name = "Okta User Logins From Multiple Cities"
reference = "https://help.okta.com/en-us/Content/Topics/Security/behavior-detection/logs-behavior-detection.htm"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Okta"
severity = "Medium"
priority = "Medium"
events:
$login.metadata.product_name = "Okta"
$login.metadata.vendor_name = "Okta"
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_event_type = "user.session.start"
$login.security_result.summary = "User login to Okta"
$login.principal.user.userid = $userid
$login.principal.location.city = $city
match:
$userid over 24h
outcome:
$risk_score = max(
35 +
// If the IP Address is marked as suspicious IP address by Okta ThreatInsight
if($login.security_result.detection_fields["threatSuspected"] = "true", 30) +
// Unauthorized target geographies
if($login.principal.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts"
$target_user_agent = array_distinct($login.network.http.user_agent)
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($login.principal.location.city)
$dc_principal_ip_city = count_distinct($login.principal.location.city)
$security_result_summary = array_distinct($login.security_result.summary)
$principal_user_managers_email_addresses = array_distinct($login.principal.user.managers.email_addresses)
$principal_user_userid = array_distinct($login.principal.user.userid)
$target_user_email_addresses = array_distinct($login.target.user.email_addresses)
$target_user_userid = array_distinct($login.target.user.userid)
condition:
$login and $dc_principal_ip_city > 1
}okta_user_suspicious_activity_reported
An Okta user reports suspicious activity in response to an end user security notification.
Show query
rule okta_user_suspicious_activity_reported {
meta:
author = "Google Cloud Security"
description = "An Okta user reports suspicious activity in response to an end user security notification."
rule_id = "mr_09eaaa93-be5e-4b7f-9d6b-8675e63291a0"
rule_name = "Okta User Suspicious Activity Reported"
reference = "https://help.okta.com/en-us/Content/Topics/Security/suspicious-activity-reporting.htm"
mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
mitre_attack_technique = "Valid Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/"
mitre_attack_version = "v13.1"
type = "Alert"
data_source = "Okta"
severity = "Medium"
priority = "Medium"
events:
$suspicious.metadata.product_name = "Okta"
$suspicious.metadata.vendor_name = "Okta"
$suspicious.metadata.event_type = "USER_UNCATEGORIZED"
$suspicious.metadata.product_event_type = "user.account.report_suspicious_activity_by_enduser"
$suspicious.security_result.summary = "User report suspicious activity"
$suspicious.target.user.userid = $userid
match:
$userid over 1h
outcome:
$risk_score = max(
35 +
// Increase Risk based on suspiciousActivityEventType
if($suspicious.security_result.detection_fields["suspiciousActivityEventType"] = "system.email.mfa_enroll_notification.sent_message", 30)
)
$mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation, Initial Access"
$mitre_attack_technique = "Valid Accounts"
$target_user_agent = array_distinct($suspicious.network.http.user_agent)
$principal_ip = array_distinct($suspicious.principal.ip)
$principal_ip_country = array_distinct($suspicious.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($suspicious.principal.ip_geo_artifact.location.state)
$principal_ip_city = array_distinct($suspicious.principal.location.city)
$principal_user_email_addresses = array_distinct ($suspicious.principal.user.email_addresses)
$security_result_summary = array_distinct($suspicious.security_result.summary)
$target_user_email_addresses = array_distinct($suspicious.target.user.email_addresses)
$target_user_userid = array_distinct($suspicious.target.user.userid)
condition:
$suspicious
}onelogin_multiple_users_login_failures_from_the_same_ip
Detects multiple users login failures from a single IP.
Show query
rule onelogin_multiple_users_login_failures_from_the_same_ip {
meta:
author = "Google Cloud Security"
description = "Detects multiple users login failures from a single IP."
rule_id = "mr_8e302561-6fc5-430d-ae0c-bd285a0aec21"
rule_name = "OneLogin Multiple Users Login Failures From The Same IP"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v15.1"
type = "Alert"
data_source = "OneLogin"
severity = "Medium"
priority = "Medium"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_name = "ONELOGIN_SSO"
$login.metadata.vendor_name = "ONELOGIN"
$login.security_result.action = "BLOCK"
$login.metadata.product_event_type = "6" //user failed authentication
$login.principal.ip = $ip
match:
$ip over 1h
outcome:
$risk_score = max(35 +
// Unauthorized target geographies
if($login.target.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($login.target.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($login.target.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($login.target.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($login.target.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$mitre_attack_tactic = "Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$principal_user_userid = array_distinct($login.principal.user.userid)
$principal_user_user_display_name = array_distinct($login.principal.user.user_display_name)
$dc_principal_user_userid = count_distinct($login.principal.user.userid)
$metadata_description = array_distinct($login.metadata.description)
condition:
$login and $dc_principal_user_userid > 3
}onelogin_user_logins_from_multiple_countries
Detects user logins for the same user from different cities within 24 hours.
Show query
rule onelogin_user_logins_from_multiple_countries {
meta:
author = "Google Cloud Security"
description = "Detects user logins for the same user from different cities within 24 hours."
rule_id = "mr_92eb87fb-0310-460f-9640-8bc0bb87a8a3"
rule_name = "OneLogin User Logins From Multiple Countries"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "Valid Accounts: Cloud Accounts"
mitre_attack_url = "https://attack.mitre.org/techniques/T1078/004/"
mitre_attack_version = "v15.1"
type = "Alert"
data_source = "OneLogin"
severity = "Medium"
priority = "Medium"
events:
$login.metadata.event_type = "USER_LOGIN"
$login.metadata.product_name = "ONELOGIN_SSO"
$login.metadata.vendor_name = "ONELOGIN"
$login.metadata.product_event_type = "5" //user logged into onelogin
$login.principal.user.userid = $userid
match:
$userid over 24h
outcome:
$risk_score = max(
35 +
// Unauthorized target geographies
if($login.principal.ip_geo_artifact.location.country_or_region = "Cuba", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Iran", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "North Korea", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Russia", 20) +
if($login.principal.ip_geo_artifact.location.country_or_region = "Syria", 20)
)
$mitre_attack_tactic = "Initial Access"
$mitre_attack_technique = "Valid Accounts: Cloud Accounts"
$network_user_agent = array_distinct($login.network.http.user_agent)
$principal_ip = array_distinct($login.principal.ip)
$principal_ip_country = array_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_ip_state = array_distinct($login.principal.ip_geo_artifact.location.state)
$dc_principal_ip_country = count_distinct($login.principal.ip_geo_artifact.location.country_or_region)
$principal_user_userid = array_distinct($login.principal.user.userid)
$principal_user_user_display_name = array_distinct($login.principal.user.user_display_name)
$target_user_userid = array_distinct($login.target.user.userid)
condition:
$login and $dc_principal_ip_country > 1
}potential_credential_dumping_activity_via_lsass
Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
Show query
rule potential_credential_dumping_activity_via_lsass {
meta:
author = "Samir Bousseaden, Michael Haag"
description = "Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature."
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Potential Credential Dumping Activity Via LSASS"
sigma_uuid = "5ef9853e-4d0e-4a70-846f-a9ca37d876da"
sigma_status = "experimental"
rule_id = "mr_33474568-9a0a-4588-ba79-144ab7908f8e"
tactic = "TA0006"
technique = "T1003.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Medium"
priority = "Medium"
false_positives = "Unknown"
events:
$process.metadata.event_type = "PROCESS_OPEN"
re.regex($process.target.process.file.full_path, `\\lsass\.exe$`) nocase
(
strings.contains(strings.to_lower($process.target.resource.name), "0x1038") or
strings.contains(strings.to_lower($process.target.resource.name), "0x1438") or
strings.contains(strings.to_lower($process.target.resource.name), "0x143a") or
strings.contains(strings.to_lower($process.target.resource.name), "0x1fffff") //questionable, this one and others have been filtered out due to FP
)
(
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "dbgcore.dll") or
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "dbghelp.dll") or
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "kernel32.dll") or
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "kernelbase.dll") or
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "ntdll.dll")
)
NOT (
strings.contains($process.principal.administrative_domain, "AUTHORI") or
strings.contains($process.principal.administrative_domain, "AUTORI")
)
NOT (
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), ":\\windows\\temp\\asgard2-agent\\") and
strings.contains(strings.to_lower($process.additional.fields["CallTrace"]), "\\thor\\thor64.exe+") and
strings.contains(strings.to_upper($process.additional.fields["CallTrace"]), "|UNKNOWN(") and
$process.target.resource.name = "0x103800" nocase
)
NOT re.regex($process.principal.process.file.full_path, `:\\Windows\\Sysmon64\.exe$`) nocase
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test hostname to adjust risk score
$risk_score = max(if($process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}powershell_web_download
Detects suspicious ways to download files or content using PowerShell
Show query
rule powershell_web_download {
meta:
author = "Florian Roth (Nextron Systems)"
description = "Detects suspicious ways to download files or content using PowerShell"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "PowerShell Web Download"
sigma_uuid = "6e897651-f157-4d8f-aaeb-df8151488385"
sigma_status = "test"
rule_id = "mr_942ed146-8046-4623-bae9-03bb4aaaf7d7"
tactic = "TA0002"
technique = "T1059.001"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Medium"
priority = "Medium"
false_positives = "Scripts or tools that download files"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
strings.contains(strings.to_lower($process.target.process.command_line), ".downloadstring(") or
strings.contains(strings.to_lower($process.target.process.command_line), ".downloadfile(") or
strings.contains(strings.to_lower($process.target.process.command_line), "invoke-webrequest ") or
strings.contains(strings.to_lower($process.target.process.command_line), "iwr ")
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}rdp_sensitive_settings_changed_to_zero
Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
Show query
rule rdp_sensitive_settings_changed_to_zero {
meta:
author = "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali"
description = "Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc."
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "RDP Sensitive Settings Changed to Zero"
rule_id = "mr_553a08a3-f1b6-4962-9393-151b0fecdf55"
sigma_uuid = "a2863fbc-d5cb-48d5-83fb-d976d4b1743b"
sigma_status = "test"
tactic = "TA0005"
//tactic = "TA0003"
technique = "T1112"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Medium"
priority = "Medium"
false_positives = "Some of the keys mentioned here could be modified by an administrator while setting group policy"
events:
$reg.metadata.event_type = "REGISTRY_MODIFICATION"
(
re.regex($reg.target.registry.registry_key, `\\fDenyTSConnections$`) nocase or
re.regex($reg.target.registry.registry_key, `\\fSingleSessionPerUser$`) nocase or
re.regex($reg.target.registry.registry_key, `\\UserAuthentication$`) nocase
)
$reg.target.registry.registry_value_data = "DWORD (0x00000000)" nocase
$reg.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
//example usage of specifying test user and hostname to adjust risk score
$risk_score = max(if($reg.principal.user.userid = "user" and $reg.principal.hostname = "hostname", 0, 15))
$principal_hostname = array_distinct($reg.principal.hostname)
$principal_process_pid = array_distinct($reg.principal.process.pid)
$principal_process_file_full_path = array_distinct($reg.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($reg.principal.process.product_specific_process_id)
$principal_user_userid = array_distinct($reg.principal.user.userid)
$target_registry_key = array_distinct($reg.target.registry.registry_key)
$target_registry_value_data = array_distinct($reg.target.registry.registry_value_data)
$log_type = array_distinct(strings.concat($reg.metadata.log_type,"/",$reg.metadata.product_event_type))
condition:
$reg
}sap_impossible_travel
Identifies two successful logons for the same User ID from two different geographic locations in a timeframe that is physically impossible to travel between, indicating credential sharing or theft.
Show query
rule sap_impossible_travel {
meta:
author = "Google Cloud Security"
description = "Identifies two successful logons for the same User ID from two different geographic locations in a timeframe that is physically impossible to travel between, indicating credential sharing or theft."
severity = "medium"
tactic = "TA0006"
technique = "T1078"
events:
$e.metadata.log_type = "SAP_SECURITY_AUDIT"
(
$e.metadata.event_type = "USER_LOGIN" or
$e.additional.fields["msg_1"] = /^AU1$|^AU5$/
)
$e.principal.ip_geo_artifact.location.country_or_region != ""
$country = $e.principal.ip_geo_artifact.location.country_or_region
$state = $e.principal.ip_geo_artifact.location.state
$user = $e.principal.user.userid
match:
$user over 1h
outcome:
$countries = array_distinct($country)
$states = array_distinct($state)
$count_of_countries = count_distinct($country)
$count_of_states = count_distinct($state)
$risk_score = if(count_distinct($country) > 1, 30, 0) + if(count_distinct($state) > 2, 30, 0) + 30
$network_carrier_name = array_distinct($e.principal.ip_geo_artifact.network.carrier_name)
$networn_dns_domain = array_distinct($e.principal.ip_geo_artifact.network.dns_domain)
$network_org = array_distinct($e.principal.ip_geo_artifact.network.organization_name)
$sap_instance = array_distinct($e.target.resource.name)
condition:
#country >= 2 or #state >= 2
}sap_multi_terminal_logon
Identifies successful logons for the same User ID from multiple different terminal IDs or client hostnames in a short timeframe, indicating potential credential sharing or session theft.
Show query
rule sap_multi_terminal_logon {
meta:
author = "Google Cloud Security"
description = "Identifies successful logons for the same User ID from multiple different terminal IDs or client hostnames in a short timeframe, indicating potential credential sharing or session theft."
severity = "medium"
tactic = "TA0006"
technique = "T1078"
events:
$e.metadata.log_type = "SAP_SECURITY_AUDIT"
(
$e.metadata.event_type = "USER_LOGIN" or
$e.additional.fields["msg_1"] = /^AU1$|^AU5$/
)
// Ensure we only check events that actually have a terminal/hostname recorded
$e.principal.hostname != ""
$terminal = $e.principal.hostname
$user = $e.principal.user.userid
match:
// You can reduce this window to 15m or 30m if 1h is too broad for direct terminal switches
$user over 15m
outcome:
$terminals = array_distinct($terminal)
$count_of_terminals = count_distinct($terminal)
// Give a high risk score if they switch terminals
$risk_score = 60
$sap_instance = array_distinct($e.target.resource.name)
condition:
// Trigger if the user is seen on 2 or more distinct terminals
#terminal >= 2
}sap_multiple_password_changes
Detects multiple password changes (BU2) by a single actor or targeting a single user across systems.
Show query
rule sap_multiple_password_changes {
meta:
author = "Google Cloud Security"
description = "Detects multiple password changes (BU2) by a single actor or targeting a single user across systems."
severity = "Medium"
tactic = "TA0004"
technique = "T1098"
events:
$e.metadata.product_name = "SAP security audit"
$e.additional.fields["msg_1"] = "BU2"
$source_user = $e.principal.user.userid
$target_user = $e.additional.fields["param2_1"]
$client = $e.target.resource.attribute.labels["slgmand_1"]
match:
$source_user over 3h
outcome:
$total_changes = count($e.metadata.product_log_id)
$distinct_targets = count_distinct($target_user)
$distinct_clients = count_distinct($client)
$admin_email = array_distinct($e.principal.user.email_addresses)
$target_users = array_distinct($target_user)
$terminal_ips = array_distinct($e.principal.ip)
condition:
#e >= 3 or #target_user >= 3
}sap_sensitive_role_assignment_correlation
Correlates SAP Change Documents with Security Audit logs to detect sensitive role assignments and self-assignments.
Show query
rule sap_sensitive_role_assignment_correlation {
meta:
author = "Google Cloud Security"
description = "Correlates SAP Change Documents with Security Audit logs to detect sensitive role assignments and self-assignments."
severity = "Medium"
tactic = "TA0004"
technique = "T1098"
events:
$change.metadata.log_type = "SAP_CHANGE_DOCUMENT"
$change.target.resource.name = "PFCG"
$change.target.resource.attribute.labels["TABNAME"] = "AGR_USERS"
$change.target.resource.attribute.labels["CHANGE_IND"] = "I"
$client = $change.target.resource.attribute.labels["MANDANT"]
$target_user = $change.target.resource.attribute.labels["TABKEY"]
//joining on user value
$user = $change.principal.user.userid
$user = $audit.principal.user.userid
$audit.metadata.log_type = "SAP_SECURITY_AUDIT"
$client = $audit.target.resource.attribute.labels["slgmand"]
not $user in %sap_admin_users.user
match:
$user, $client over 30m
outcome:
$assigned_role = array_distinct($change.target.resource.product_object_id)
$principal_ip = array_distinct($audit.principal.ip)
$audit_description = array_distinct($audit.metadata.description)
condition:
$change and $audit
}sap_suspected_data_exfiltration
Detects high-volume data downloads (AUY) from SAP to a local frontend file, potentially indicating exfiltration.
Show query
rule sap_suspected_data_exfiltration {
meta:
author = "Google Cloud Security"
description = "Detects high-volume data downloads (AUY) from SAP to a local frontend file, potentially indicating exfiltration."
severity = "Medium"
tactic = "TA0010"
technique = "T1041"
events:
$e.metadata.product_name = "SAP security audit"
$e.additional.fields["msg_1"] = "AUY"
$user = $e.principal.user.userid
match:
$user over 5m
outcome:
$event_count = count($e.metadata.product_log_id)
$report_used = array_distinct($e.principal.process.file.names)
$file_paths = array_distinct($e.additional.fields["param3_1"])
$total_bytes_approx = array_distinct($e.additional.fields["param1_1"])
$terminal_ip = array_distinct($e.principal.ip)
$system_id = array_distinct($e.target.application)
condition:
$e and $event_count >= 10
}suspicious_download_via_certutil_exe
Detects the execution of certutil with certain flags that allow the utility to download files
Show query
rule suspicious_download_via_certutil_exe {
meta:
author = "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)"
description = "Detects the execution of certutil with certain flags that allow the utility to download files"
reference = "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml"
license = "https://github.com/SigmaHQ/Detection-Rule-License/blob/main/LICENSE.Detection.Rules.md"
rule_name = "Suspicious Download Via Certutil.EXE"
sigma_uuid = "19b08b1c-861d-4e75-a1ef-ea0c1baf202b"
sigma_status = "test"
le_id = "mr_e9ec6964-4883-47b8-a6b3-2ece9962a813"
tactic = "TA0005"
technique = "T1027"
type = "Detection"
data_source = "Sysmon"
platform = "Windows"
severity = "Medium"
priority = "Medium"
false_positives = "Unknown"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($process.target.process.file.full_path, `\\certutil\.exe$`) nocase or
$process.src.process.file.full_path = "certutil.exe" nocase
)
(
strings.contains(strings.to_lower($process.target.process.command_line), "urlcache ") or
strings.contains(strings.to_lower($process.target.process.command_line), "verifyctl ")
)
strings.contains(strings.to_lower($process.target.process.command_line), "http")
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
$risk_score = max(if($process.principal.user.userid = "user" and $process.principal.hostname = "hostname", 0, 15))
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specfic_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specfic_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specfic_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
$log_type = array_distinct(strings.concat($process.metadata.log_type,"/",$process.metadata.product_event_type))
condition:
$process
}ttp_windows_w3wp_launching_encoded_powershell
Detects on the execution of an encoded powershell command with a parent process of w3wp.exe.
Show query
rule ttp_windows_w3wp_launching_encoded_powershell {
meta:
author = "Google Cloud Security"
rule_name = "W3WP Launching Encoded Powershell"
description = "Detects on the execution of an encoded powershell command with a parent process of w3wp.exe."
severity = "Medium"
tactic = "TA0002"
technique = "T1059.001"
false_positives = "Legitimate administrative actions to the specified URL should be rare. Some penetration testing activity could trigger this rule. In some cases, specific third party applications could generate similar requests, but this should be rare."
reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-49706, https://research.eye.security/sharepoint-under-siege/"
rule_id = "mr_83daf64e-25e8-4b6b-8596-3adcc694e781"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e.principal.process.file.full_path, `(^|\\)w3wp\.exe$`) nocase
not re.regex($e.target.process.command_line, `\\Scripts\\CheckDiskSpace\.ps1'`) nocase
not re.regex($e.target.process.command_line, `DQAKACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAJwBTAHQAbwBwACcADQAKAFsAdgBlAHIAcwBpAG8AbgBdACQAbQBpAG4AaQBtAHUAbQBWAGUAcgBzAGkAbwBuACAAPQAgACcAMgAuADIALgAwACcADQAKAA0ACgAkAG0AIAA9ACAASQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEEAegAuAEEAYwBjAG8AdQBuAHQAcwAg`) nocase
not re.regex($e.target.process.command_line, `EncodedCommand JABQAG8AaQBuAHQAZQBlAFIAZQBzAG8AdQByAGMAZQBOAGEAbQBlACAAPQAgACcAVgBEAFAAUgB`) nocase
(
(
re.regex($e.target.process.file.full_path, `(^|\\)(pwsh|powershell)\.exe$`) nocase and
re.regex($e.target.process.command_line, `\s-(e|en|enc|enco|encodedcommand)\s`) nocase
) or
re.regex($e.target.process.command_line, `(pwsh|powershell).*\s-(e|en|enc|enco|encodedcommand)\s`) nocase
)
outcome:
$principal_hostname = $e.principal.hostname
$risk_score = 65
$vendor_name = array($e.metadata.vendor_name)
$product_name = $e.metadata.product_name
$victim_uid = $e.principal.asset.asset_id
$victim_name = $e.principal.asset.hostname
$victim_netid = array($e.principal.ip)
$adversary_uid = $e.principal.user.userid
$adversary_name = $e.principal.user.user_display_name
$adversary_netid = $e.principal.user.windows_sid
$tmp1 = max(
if($e.security_result.action != "BLOCK" and $e.security_result.action != "UNKNOWN_ACTION", 2)
)
$tmp2 = max(
if($e.security_result.action = "BLOCK", 1)
)
$result = arrays.index_to_str(strings.split("attempted,failed,succeeded,succeeded"), $tmp1 + $tmp2)
$result_time = $e.metadata.event_timestamp.seconds
$event_count = 1
condition:
$e
}windows_event_log_cleared
Detects the clearing of event logs within the Windows Event Viewer.
Show query
rule windows_event_log_cleared {
meta:
author = "Google Cloud Security"
description = "Detects the clearing of event logs within the Windows Event Viewer. "
rule_id = "mr_067f3ee9-9bc6-400d-9ba5-bebe7253482f"
rule_name = "Windows Event Log Cleared"
type = "alert"
data_source = "microsoft sysmon, microsoft windows events"
platform = "Windows"
tactic = "TA0005"
technique = "T1070.001"
severity = "Medium"
priority = "Medium"
events:
(
$process.metadata.event_type = "PROCESS_LAUNCH" and
// currently the command line is focused on the three primary log sets, could expand this further if desired
re.regex($process.target.process.command_line, `wevtutil.*cl.*(system|application|security)`) nocase
)
or
(
$process.metadata.event_type = "SYSTEM_AUDIT_LOG_WIPE" and
$process.metadata.vendor_name = "Microsoft"
)
or
(
$process.metadata.event_type = "STATUS_UPDATE" and
$process.metadata.product_name = "PowerShell" and
$process.metadata.vendor_name = "Microsoft" and
(
re.regex($process.security_result.description, `Remove-EventLog`) nocase or
re.regex($process.security_result.description, `Clear-EventLog`) nocase
)
)
$process.principal.hostname = $hostname
match:
$hostname over 5m
outcome:
$risk_score = 65
$event_count = count_distinct($process.metadata.id)
$process_description = array_distinct($process.metadata.description)
// added to populate alert graph with additional context
// Commented out principal.hostname because it is already represented in graph as match variable. If match changes, can uncomment to add to results
//$principal_hostname = array_distinct($process.principal.hostname)
$principal_process_pid = array_distinct($process.principal.process.pid)
$principal_process_command_line = array_distinct($process.principal.process.command_line)
$principal_process_file_sha256 = array_distinct($process.principal.process.file.sha256)
$principal_process_file_full_path = array_distinct($process.principal.process.file.full_path)
$principal_process_product_specific_process_id = array_distinct($process.principal.process.product_specific_process_id)
$principal_process_parent_process_product_specific_process_id = array_distinct($process.principal.process.parent_process.product_specific_process_id)
$target_process_pid = array_distinct($process.target.process.pid)
$target_process_command_line = array_distinct($process.target.process.command_line)
$target_process_file_sha256 = array_distinct($process.target.process.file.sha256)
$target_process_file_full_path = array_distinct($process.target.process.file.full_path)
$target_process_product_specific_process_id = array_distinct($process.target.process.product_specific_process_id)
$principal_user_userid = array_distinct($process.principal.user.userid)
condition:
$process
}AWS Bedrock Foundation Model Access Enabled or Entitlement Granted
Identifies when access to an Amazon Bedrock foundation model is enabled at the account level, either by granting a
foundation-model entitlement, submitting a use case for model access, or creating a foundation-model agreement
(accepting the EULA). These account-level "model access" actions unlock a foundation model so that it can subsequently
be invoked. Adversaries or a compromised principal may enable model access to abuse expensive models (LLMjacking), to
establish a durable ability to invoke models within the account, or to bypass organizational controls. This activity is
distinct from changes to a resource-based model invocation policy and is identified by the Bedrock control-plane API
calls that grant model entitlements and agreements.
AWS Bedrock Resource-Based Policy Modified or Deleted
Detects modification or deletion of resource-based access policies on AWS Bedrock resources via the PutResourcePolicy
and DeleteResourcePolicy API calls. Resource-based policies govern which principals (including external accounts) may
access Bedrock resources such as agents, knowledge bases, and custom models. An adversary may attach a resource policy
granting an external or unexpected principal access to a Bedrock resource to establish persistence or enable
cross-account access, or may delete an existing policy to weaken access controls. These changes should be validated for
principal ownership and least-privilege intent.
Active Directory Group Modification by SYSTEM
Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate
that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting
vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain
account.
Auditd Login Attempt at Forbidden Time
Identifies that a login attempt occurred at a forbidden time.
Auditd Max Failed Login Attempts
Identifies that the maximum number of failed login attempts has been reached for a user.
Auditd Max Login Sessions
Identifies that the maximum number login sessions has been reached for a user.
Curl or Wget Execution from Container Context
Detects execution of curl or wget from processes whose title aligns with **`runc init`**, a common fingerprint
for workloads running inside **OCI/runc-backed containers** on Linux hosts instrumented with Auditd Manager.
After breaking out of an application container or abusing a privileged workload, attackers often pull ingress tooling
(stagers, scripts, implants) or stage exfiltration with minimal HTTP clients. Those utilities are also used
benignly in images, so context matters; the `runc init` anchor narrows the signal to the container runtime boundary
where unexpected download clients are more worthy of review than the same binaries on a bare-metal admin shell.
Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected
This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum
allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID
greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.
Deprecated - Potential curl CVE-2023-38545 Exploitation
Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction
with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow
during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be
executed with and without the use of environment variables. For increased visibility, enable the collection of
http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of
this rule.
FortiGate SOCKS Traffic from an Unusual Process
This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the
source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems
or act as an intermediary for network communications to a command and control server to avoid direct connections to their
infrastructure.
FortiGate SSL VPN Login Followed by SIEM Alert by User
Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a
short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise
used from a VPN session, or initial access via VPN followed by post-compromise behavior.
Google Workspace API Access Granted via Domain-Wide Delegation
Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be
configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may
configure domain-wide delegation to maintain access to their target’s data.
Google Workspace Role Modified
Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order
to elevate the permissions of other user accounts and persist in their target’s environment.
Kubernetes Exposed Service Created With Type NodePort
This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to
externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster
that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod
through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept
traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers
within a cluster. This creates a direct method of communication between the cluster and the outside world, which could
be used for more malicious behavior and certainly widens the attack surface of your cluster.
Linux User Account Credential Modification
This rule detects Linux user account credential modification events where the echo command is
used to directly echo a password into the passwd or shadow utilities. This technique is used by
malware to automate the process of user account credential modification on Linux systems post-infection.
PANW and Elastic Defend - Command and Control Correlation
This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify
the source process performing the network activity.
Potential Account Takeover - Logon from New Source IP
Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different
source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover
or use of stolen credentials from a new location.
Potential Account Takeover - Mixed Logon Types
Identifies a user account (often a service account) that normally logs in with high volume using one logon type
suddenly showing successful logons using a different logon type with low count. This pattern may indicate account
takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service
was expected).
Remote File Download via Desktopimgdownldr Utility
Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to
download arbitrary files as an alternative to certutil.
Remote File Download via MpCmdRun
Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.
Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining
initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for
adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be
atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.
Showing 101-150 of 990