LoFP LoFP / false positives will most likely be present based on risk scoring and how the organization handles system to system communication. filter, or modify as needed. in addition to count by analytics, adding a risk score may be useful. in our testing, with 22 events over 30 days, the risk scores ranged from 500 to 80,000. your organization will be different, monitor and modify as needed.

Techniques

Sample rules

Active Directory Privilege Escalation Identified

Description

The following analytic identifies potential privilege escalation activities within an organization’s Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Privilege Escalation analytic story within a specified time frame. This is significant for a SOC as it helps identify coordinated attempts to gain elevated privileges, which could indicate a serious security threat. If confirmed malicious, this activity could allow attackers to gain unauthorized access to sensitive systems and data, leading to potential data breaches and further compromise of the network.

Detection logic


| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active Directory Privilege Escalation" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic 
| `drop_dm_object_name(All_Risk)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| where source_count >= 4 
| `active_directory_privilege_escalation_identified_filter`

Active Directory Lateral Movement Identified

Description

The following analytic identifies potential lateral movement activities within an organization’s Active Directory (AD) environment. It detects this activity by correlating multiple analytics from the Active Directory Lateral Movement analytic story within a specified time frame. This is significant for a SOC as lateral movement is a common tactic used by attackers to expand their access within a network, posing a substantial risk. If confirmed malicious, this activity could allow attackers to escalate privileges, access sensitive information, and persist within the environment, leading to severe security breaches.

Detection logic


| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active Directory Lateral Movement" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic 
| `drop_dm_object_name(All_Risk)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| where source_count >= 4 
| `active_directory_lateral_movement_identified_filter`