LoFP LoFP / t1136

t1136

TitleTags
a group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
a service principal may be created by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. service principal additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
admin activity
administrative activity
an rds security group may be created by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. security group creations by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
assumed roles may be used by legitimate automated systems to create iam users for specific workflows. verify if this event aligns with known automation activities. if the action is routine for specific roles or user agents (e.g., `aws-cli`, `boto3`), consider adding those roles or user agents to a monitored exception list for streamlined review.
better use event ids for user creation rather than command line rules.
domain controller logs
if the behavior of creating okta api tokens is expected, consider adding exceptions to this rule to filter false positives.
legitimate account creation and privilege elevation activities by authorized administrators will generate alerts with this detection. to reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames, typical times for account management, and authorized administrators who regularly perform these actions. you may also want to create a lookup table of approved administrative accounts and filter out alerts for these accounts. additionally, scheduled maintenance windows should be taken into account when evaluating alerts.
legitimate administration activities
legitimate administrative script
legitimate user creation
local accounts managed by privileged account management tools
organization approved new members
service accounts can be created by system administrators. verify that the behavior was expected. exceptions can be added to this rule to filter expected behavior.
unknown
unlikely
when remote authentication is in place, this should not change often