LoFP LoFP / t1565

t1565

TitleTags
automatic isatap configuration in some windows deployments
azure arc system components may create or update secrets and configmaps in the azure-arc and azure-arc-release namespaces during normal cluster management. filter by namespace to exclude these.
dev, uat, sat environment. you should apply this rule with prod account only.
development or deployment pipelines that update static frontends frequently (e.g., react/vue apps) may trigger this. verify the user agent, source ip, and whether the modification was expected.
device or device configuration being modified or deleted may be performed by a system administrator.
device or device configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
disabling encryption may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. disabling encryption by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
dns zone modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
dns zone modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
helm operations managed through arc may create release secrets (prefixed with sh.helm.release.v1). these are normal arc lifecycle operations.
if cloud app security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process.
ipv6 transition projects and network infrastructure changes
legitimate administration activities
legitimate administrators may run these commands
legitimate administrators may run these commands, though rarely.
legitimate ci/cd automation that commits and pushes changes (e.g., auto-formatting, changelog updates, version bumps, dependabot auto-merge) will trigger this alert on first use in a repository. review the repository's workflow configurations to determine if bot pushes are expected.
legitimate isatap router configuration in enterprise environments
network administrators configuring dual-stack networking
some false positives are to be expected on user or administrator machines. apply additional filters as needed.
system administrator activities
this is meant to run only on datasources using elastic agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives.
this rule uses matches regex patterns for common ransom note file names. ensure that the uploaded file is not part of a legitimate operation before taking action.
trail updates may be made by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. trail updates from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
unknown