[New Rule] Active Directory Forced Authentication from Linux Host - SMB Named Pipes

[w0rk3r]

Issue

Part of #3544

Summary

Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.

Data

Events/Sample Data

{
  "_index": ".ds-logs-endpoint.events.network-default-2024.07.12-000025",
  "_id": "ZkNd25ABiLqpmBCYBX6u",
  "_score": 1,
  "_source": {
    "agent": {
      "id": "ea387e70-7cb8-4978-8df2-e9f44e3ef15d",
      "type": "endpoint",
      "version": "8.12.2"
    },
    "process": {
      "Ext": {
        "ancestry": [
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MTItMTcyMTY0ODQ4Ng==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MDYtMTcyMTY0ODQ4Ng==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MDUtMTcyMTY0ODQ4Ng==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MDQtMTcyMTY0ODQ4Ng==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM4OTQtMTcyMTY0ODQ4Ng==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM4NDEtMTcyMTY0ODQ4NQ==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM4MzQtMTcyMTY0ODQ4NA==",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTgzNi0xNzIxNjQ4MTc1",
          "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTEtMTcyMTY0ODE2NQ=="
        ]
      },
      "parent": {
        "entity_id": "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MTItMTcyMTY0ODQ4Ng=="
      },
      "name": "python3",
      "pid": 22816,
      "thread": {
        "capabilities": {
          "effective": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_FOWNER",
            "CAP_FSETID",
            "CAP_KILL",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETPCAP",
            "CAP_NET_BIND_SERVICE",
            "CAP_NET_RAW",
            "CAP_SYS_CHROOT",
            "CAP_MKNOD",
            "CAP_AUDIT_WRITE",
            "CAP_SETFCAP"
          ],
          "permitted": [
            "CAP_CHOWN",
            "CAP_DAC_OVERRIDE",
            "CAP_FOWNER",
            "CAP_FSETID",
            "CAP_KILL",
            "CAP_SETGID",
            "CAP_SETUID",
            "CAP_SETPCAP",
            "CAP_NET_BIND_SERVICE",
            "CAP_NET_RAW",
            "CAP_SYS_CHROOT",
            "CAP_MKNOD",
            "CAP_AUDIT_WRITE",
            "CAP_SETFCAP"
          ]
        }
      },
      "entity_id": "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTIyODE2LTE3MjE2NjcyMjU=",
      "executable": "/opt/tools/ShadowCoerce/venv/bin/python3"
    },
    "destination": {
      "address": "192.168.56.10",
      "port": 445,
      "ip": "192.168.56.10"
    },
    "source": {
      "address": "192.168.56.200",
      "port": 41924,
      "ip": "192.168.56.200"
    },
    "message": "Endpoint network event",
    "network": {
      "transport": "tcp",
      "type": "ipv4"
    },
    "@timestamp": "2024-07-22T16:53:46.2877817Z",
    "ecs": {
      "version": "8.10.0"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "endpoint.events.network"
    },
    "elastic": {
      "agent": {
        "id": "ea387e70-7cb8-4978-8df2-e9f44e3ef15d"
      }
    },
    "host": {
      "hostname": "jonh-virtual-machine",
      "os": {
        "Ext": {
          "variant": "Ubuntu"
        },
        "kernel": "6.5.0-44-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jun 18 14:36:16 UTC 2",
        "name": "Linux",
        "family": "ubuntu",
        "type": "linux",
        "version": "22.04.4",
        "platform": "ubuntu",
        "full": "Ubuntu 22.04.4"
      },
      "ip": [
        "192.168.56.200",
        "172.17.0.1",
        "127.0.0.1",
        "::1",
        "192.168.133.129",
        "fe80::b09f:b79d:7caa:1b51"
      ],
      "name": "jonh-virtual-machine",
      "id": "e73a5ff9b30a40969fb5dedc8f1bdd18",
      "mac": [
        "00-0c-29-a5-56-92",
        "02-42-27-54-10-0f",
        "00-0c-29-a5-56-88"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "sequence": 79497,
      "ingested": "2024-07-22T16:53:44Z",
      "created": "2024-07-22T16:53:46.2877817Z",
      "kind": "event",
      "module": "endpoint",
      "action": "connection_attempted",
      "id": "Ndt2EO2UzsLLPkAZ+++++h3E",
      "category": [
        "network"
      ],
      "type": [
        "start"
      ],
      "dataset": "endpoint.events.network",
      "outcome": "unknown"
    },
    "user": {
      "Ext": {
        "real": {
          "name": "root",
          "id": 0
        }
      },
      "name": "root",
      "id": 0
    },
    "group": {
      "Ext": {
        "real": {
          "name": "root",
          "id": 0
        }
      },
      "name": "root",
      "id": 0
    }
  },
  "fields": {
    "host.os.full.text": [
      "Ubuntu 22.04.4"
    ],
    "event.category": [
      "network"
    ],
    "process.name.text": [
      "python3"
    ],
    "host.os.name.text": [
      "Linux"
    ],
    "host.os.full": [
      "Ubuntu 22.04.4"
    ],
    "host.hostname": [
      "jonh-virtual-machine"
    ],
    "process.pid": [
      22816
    ],
    "host.mac": [
      "00-0c-29-a5-56-92",
      "02-42-27-54-10-0f",
      "00-0c-29-a5-56-88"
    ],
    "elastic.agent.id": [
      "ea387e70-7cb8-4978-8df2-e9f44e3ef15d"
    ],
    "host.os.version": [
      "22.04.4"
    ],
    "process.parent.entity_id": [
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MTItMTcyMTY0ODQ4Ng=="
    ],
    "host.os.name": [
      "Linux"
    ],
    "source.ip": [
      "192.168.56.200"
    ],
    "destination.address": [
      "192.168.56.10"
    ],
    "host.name": [
      "jonh-virtual-machine"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "unknown"
    ],
    "group.name": [
      "root"
    ],
    "process.thread.capabilities.permitted": [
      "CAP_CHOWN",
      "CAP_DAC_OVERRIDE",
      "CAP_FOWNER",
      "CAP_FSETID",
      "CAP_KILL",
      "CAP_SETGID",
      "CAP_SETUID",
      "CAP_SETPCAP",
      "CAP_NET_BIND_SERVICE",
      "CAP_NET_RAW",
      "CAP_SYS_CHROOT",
      "CAP_MKNOD",
      "CAP_AUDIT_WRITE",
      "CAP_SETFCAP"
    ],
    "host.os.type": [
      "linux"
    ],
    "user.id": [
      "0"
    ],
    "process.Ext.ancestry": [
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MTItMTcyMTY0ODQ4Ng==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MDYtMTcyMTY0ODQ4Ng==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MDUtMTcyMTY0ODQ4Ng==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM5MDQtMTcyMTY0ODQ4Ng==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM4OTQtMTcyMTY0ODQ4Ng==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM4NDEtMTcyMTY0ODQ4NQ==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTM4MzQtMTcyMTY0ODQ4NA==",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTgzNi0xNzIxNjQ4MTc1",
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTEtMTcyMTY0ODE2NQ=="
    ],
    "user.Ext.real.id": [
      "0"
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "process.name": [
      "python3"
    ],
    "agent.id": [
      "ea387e70-7cb8-4978-8df2-e9f44e3ef15d"
    ],
    "source.port": [
      41924
    ],
    "ecs.version": [
      "8.10.0"
    ],
    "event.created": [
      "2024-07-22T16:53:46.287Z"
    ],
    "agent.version": [
      "8.12.2"
    ],
    "host.os.family": [
      "ubuntu"
    ],
    "process.thread.capabilities.effective": [
      "CAP_CHOWN",
      "CAP_DAC_OVERRIDE",
      "CAP_FOWNER",
      "CAP_FSETID",
      "CAP_KILL",
      "CAP_SETGID",
      "CAP_SETUID",
      "CAP_SETPCAP",
      "CAP_NET_BIND_SERVICE",
      "CAP_NET_RAW",
      "CAP_SYS_CHROOT",
      "CAP_MKNOD",
      "CAP_AUDIT_WRITE",
      "CAP_SETFCAP"
    ],
    "destination.port": [
      445
    ],
    "group.id": [
      "0"
    ],
    "user.name": [
      "root"
    ],
    "source.address": [
      "192.168.56.200"
    ],
    "process.entity_id": [
      "ZWEzODdlNzAtN2NiOC00OTc4LThkZjItZTlmNDRlM2VmMTVkLTIyODE2LTE3MjE2NjcyMjU="
    ],
    "event.sequence": [
      79497
    ],
    "host.ip": [
      "192.168.56.200",
      "172.17.0.1",
      "127.0.0.1",
      "::1",
      "192.168.133.129",
      "fe80::b09f:b79d:7caa:1b51"
    ],
    "process.executable.caseless": [
      "/opt/tools/shadowcoerce/venv/bin/python3"
    ],
    "agent.type": [
      "endpoint"
    ],
    "process.executable.text": [
      "/opt/tools/ShadowCoerce/venv/bin/python3"
    ],
    "event.module": [
      "endpoint"
    ],
    "group.Ext.real.name": [
      "root"
    ],
    "host.os.kernel": [
      "6.5.0-44-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jun 18 14:36:16 UTC 2"
    ],
    "host.os.full.caseless": [
      "ubuntu 22.04.4"
    ],
    "host.id": [
      "e73a5ff9b30a40969fb5dedc8f1bdd18"
    ],
    "process.name.caseless": [
      "python3"
    ],
    "network.type": [
      "ipv4"
    ],
    "process.executable": [
      "/opt/tools/ShadowCoerce/venv/bin/python3"
    ],
    "user.Ext.real.name": [
      "root"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "message": [
      "Endpoint network event"
    ],
    "destination.ip": [
      "192.168.56.10"
    ],
    "network.transport": [
      "tcp"
    ],
    "group.Ext.real.id": [
      "0"
    ],
    "host.os.Ext.variant": [
      "Ubuntu"
    ],
    "event.action": [
      "connection_attempted"
    ],
    "event.ingested": [
      "2024-07-22T16:53:44Z"
    ],
    "@timestamp": [
      "2024-07-22T16:53:46.287Z"
    ],
    "host.os.platform": [
      "ubuntu"
    ],
    "data_stream.dataset": [
      "endpoint.events.network"
    ],
    "event.type": [
      "start"
    ],
    "event.id": [
      "Ndt2EO2UzsLLPkAZ+++++h3E"
    ],
    "event.dataset": [
      "endpoint.events.network"
    ],
    "host.os.name.caseless": [
      "linux"
    ],
    "user.name.text": [
      "root"
    ]
  }
}

{
  "_index": ".ds-logs-system.security-default-2024.07.02-000028",
  "_id": "m0Nd25ABiLqpmBCYAnk7",
  "_score": 1,
  "_source": {
    "agent": {
      "name": "kingslanding",
      "id": "c725ae87-e846-4602-9a08-2c717a3a504b",
      "ephemeral_id": "82ef15ac-4d92-4f60-b6cd-11fad4777d83",
      "type": "filebeat",
      "version": "8.14.2"
    },
    "winlog": {
      "computer_name": "kingslanding.sevenkingdoms.local",
      "process": {
        "pid": 4,
        "thread": {
          "id": 5624
        }
      },
      "keywords": [
        "Audit Success"
      ],
      "logon": {
        "id": "0x1a7d177"
      },
      "channel": "Security",
      "event_data": {
        "ShareName": "\\\\*\\IPC$",
        "SubjectLogonId": "0x1a7d177",
        "AccessMask": "0x3",
        "ObjectType": "File",
        "SubjectUserName": "cersei.lannister",
        "AccessReason": "-",
        "SubjectDomainName": "SEVENKINGDOMS",
        "AccessMaskDescription": [
          "Create Child",
          "Delete Child"
        ],
        "RelativeTargetName": "FssagentRpc",
        "AccessList": "%%4416\n\t\t\t\t%%4417\n\t\t\t\t",
        "SubjectUserSid": "S-1-5-21-3715621034-4113696668-281506975-1115"
      },
      "opcode": "Info",
      "record_id": "5479725",
      "event_id": "5145",
      "task": "Detailed File Share",
      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-Security-Auditing"
    },
    "log": {
      "level": "information"
    },
    "elastic_agent": {
      "id": "c725ae87-e846-4602-9a08-2c717a3a504b",
      "version": "8.14.2",
      "snapshot": false
    },
    "source": {
      "port": 41924,
      "ip": "192.168.56.200"
    },
    "message": "A network share object was checked to see whether client can be granted desired access.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3715621034-4113696668-281506975-1115\n\tAccount Name:\t\tcersei.lannister\n\tAccount Domain:\t\tSEVENKINGDOMS\n\tLogon ID:\t\t0x1A7D177\n\nNetwork Information:\t\n\tObject Type:\t\tFile\n\tSource Address:\t\t192.168.56.200\n\tSource Port:\t\t41924\n\t\nShare Information:\n\tShare Name:\t\t\\\\*\\IPC$\n\tShare Path:\t\t\n\tRelative Target Name:\tFssagentRpc\n\nAccess Request Information:\n\tAccess Mask:\t\t0x3\n\tAccesses:\t\tReadData (or ListDirectory)\n\t\t\t\tWriteData (or AddFile)\n\t\t\t\t\nAccess Check Results:\n\t-",
    "input": {
      "type": "winlog"
    },
    "@timestamp": "2024-07-22T16:53:47.091Z",
    "file": {
      "name": "FssagentRpc",
      "target_path": "\\\\\\\\*\\\\IPC$\\FssagentRpc"
    },
    "ecs": {
      "version": "8.0.0"
    },
    "related": {
      "ip": [
        "192.168.56.200"
      ],
      "user": [
        "cersei.lannister"
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "system.security"
    },
    "host": {
      "hostname": "kingslanding",
      "os": {
        "build": "17763.6054",
        "kernel": "10.0.17763.6054 (WinBuild.160101.0800)",
        "name": "Windows Server 2019 Datacenter Evaluation",
        "type": "windows",
        "family": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "192.168.56.10",
        "192.168.133.195"
      ],
      "name": "kingslanding",
      "id": "bb11c0d0-189a-4fad-aa85-e71a5b6c7ed9",
      "mac": [
        "00-0C-29-F8-CF-09",
        "00-0C-29-F8-CF-FF"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2024-07-22T16:53:44Z",
      "code": "5145",
      "provider": "Microsoft-Windows-Security-Auditing",
      "created": "2024-07-22T16:53:48.062Z",
      "kind": "event",
      "action": "network-share-object-access-checked",
      "category": [
        "network",
        "file"
      ],
      "type": [
        "info",
        "access"
      ],
      "dataset": "system.security",
      "outcome": "success"
    },
    "user": {
      "domain": "SEVENKINGDOMS",
      "name": "cersei.lannister",
      "id": "S-1-5-21-3715621034-4113696668-281506975-1115"
    }
  },
  "fields": {
    "elastic_agent.version": [
      "8.14.2"
    ],
    "event.category": [
      "network",
      "file"
    ],
    "host.os.name.text": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "winlog.provider_guid": [
      "{54849625-5478-4994-a5ba-3e3b0328c30d}"
    ],
    "winlog.provider_name": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "host.hostname": [
      "kingslanding"
    ],
    "winlog.computer_name": [
      "kingslanding.sevenkingdoms.local"
    ],
    "host.mac": [
      "00-0C-29-F8-CF-09",
      "00-0C-29-F8-CF-FF"
    ],
    "winlog.process.pid": [
      4
    ],
    "winlog.event_data.ShareName": [
      "\\\\*\\IPC$"
    ],
    "agent.name.text": [
      "kingslanding"
    ],
    "host.os.version": [
      "10.0"
    ],
    "winlog.keywords": [
      "Audit Success"
    ],
    "winlog.record_id": [
      "5479725"
    ],
    "winlog.logon.id": [
      "0x1a7d177"
    ],
    "host.os.name": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "file.target_path.text": [
      "\\\\\\\\*\\\\IPC$\\FssagentRpc"
    ],
    "log.level": [
      "information"
    ],
    "source.ip": [
      "192.168.56.200"
    ],
    "agent.name": [
      "kingslanding"
    ],
    "host.name": [
      "kingslanding"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "success"
    ],
    "winlog.event_data.AccessMask": [
      "0x3"
    ],
    "host.os.type": [
      "windows"
    ],
    "user.id": [
      "S-1-5-21-3715621034-4113696668-281506975-1115"
    ],
    "file.target_path": [
      "\\\\\\\\*\\\\IPC$\\FssagentRpc"
    ],
    "input.type": [
      "winlog"
    ],
    "data_stream.type": [
      "logs"
    ],
    "related.user": [
      "cersei.lannister"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "event.provider": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "event.code": [
      "5145"
    ],
    "agent.id": [
      "c725ae87-e846-4602-9a08-2c717a3a504b"
    ],
    "source.port": [
      41924
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "event.created": [
      "2024-07-22T16:53:48.062Z"
    ],
    "agent.version": [
      "8.14.2"
    ],
    "host.os.family": [
      "windows"
    ],
    "winlog.event_data.RelativeTargetName": [
      "FssagentRpc"
    ],
    "winlog.event_data.SubjectUserSid": [
      "S-1-5-21-3715621034-4113696668-281506975-1115"
    ],
    "winlog.process.thread.id": [
      5624
    ],
    "user.name": [
      "cersei.lannister"
    ],
    "host.os.build": [
      "17763.6054"
    ],
    "host.ip": [
      "192.168.56.10",
      "192.168.133.195"
    ],
    "winlog.event_data.AccessList": [
      "%%4416\n\t\t\t\t%%4417\n\t\t\t\t"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "system"
    ],
    "winlog.event_data.SubjectLogonId": [
      "0x1a7d177"
    ],
    "related.ip": [
      "192.168.56.200"
    ],
    "host.os.kernel": [
      "10.0.17763.6054 (WinBuild.160101.0800)"
    ],
    "winlog.api": [
      "wineventlog"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "user.domain": [
      "SEVENKINGDOMS"
    ],
    "host.id": [
      "bb11c0d0-189a-4fad-aa85-e71a5b6c7ed9"
    ],
    "winlog.task": [
      "Detailed File Share"
    ],
    "elastic_agent.id": [
      "c725ae87-e846-4602-9a08-2c717a3a504b"
    ],
    "winlog.event_data.ObjectType": [
      "File"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "winlog.event_data.SubjectUserName": [
      "cersei.lannister"
    ],
    "file.name": [
      "FssagentRpc"
    ],
    "message": [
      "A network share object was checked to see whether client can be granted desired access.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3715621034-4113696668-281506975-1115\n\tAccount Name:\t\tcersei.lannister\n\tAccount Domain:\t\tSEVENKINGDOMS\n\tLogon ID:\t\t0x1A7D177\n\nNetwork Information:\t\n\tObject Type:\t\tFile\n\tSource Address:\t\t192.168.56.200\n\tSource Port:\t\t41924\n\t\nShare Information:\n\tShare Name:\t\t\\\\*\\IPC$\n\tShare Path:\t\t\n\tRelative Target Name:\tFssagentRpc\n\nAccess Request Information:\n\tAccess Mask:\t\t0x3\n\tAccesses:\t\tReadData (or ListDirectory)\n\t\t\t\tWriteData (or AddFile)\n\t\t\t\t\nAccess Check Results:\n\t-"
    ],
    "winlog.event_id": [
      "5145"
    ],
    "event.action": [
      "network-share-object-access-checked"
    ],
    "event.ingested": [
      "2024-07-22T16:53:44Z"
    ],
    "@timestamp": [
      "2024-07-22T16:53:47.091Z"
    ],
    "winlog.channel": [
      "Security"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "system.security"
    ],
    "event.type": [
      "info",
      "access"
    ],
    "winlog.opcode": [
      "Info"
    ],
    "agent.ephemeral_id": [
      "82ef15ac-4d92-4f60-b6cd-11fad4777d83"
    ],
    "winlog.event_data.AccessMaskDescription": [
      "Create Child",
      "Delete Child"
    ],
    "winlog.event_data.SubjectDomainName": [
      "SEVENKINGDOMS"
    ],
    "event.dataset": [
      "system.security"
    ],
    "winlog.event_data.AccessReason": [
      "-"
    ],
    "user.name.text": [
      "cersei.lannister"
    ]
  }
}

[protectionsmachine]

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

• Detailed description of the rule.
• List any new fields required in ECS/data sources.
• Link related issues or PRs.
• Include references.

Rule Metadata Checks

• creation_date matches the date of creation PR initially merged.
• min_stack_version should support the widest stack versions.
• name and description should be descriptive and not include typos.
• query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
• min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
• index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
• integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
• setup should include the necessary steps to configure the integration.
• note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
• tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
• threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

• building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
• bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

• Provide evidence of testing and detecting the expected threat.
• Check for existence of coverage to prevent duplication.