Spike in Group Application Assignment Change Events

  1[metadata]
  2creation_date = "2025/02/18"
  3integration = ["pad","okta"]
  4maturity = "production"
  5updated_date = "2025/02/18"
  6min_stack_version = "8.18.0"
  7min_stack_comments = "New PAD integration only available starting at 8.18.0."
  8
  9[rule]
 10anomaly_threshold = 75
 11author = ["Elastic"]
 12description = """
 13A machine learning job has identified an unusual spike in Okta group application assignment change events, indicating potential privileged access activity.
 14Threat actors might be assigning applications to groups to escalate access, maintain persistence, or facilitate lateral movement within an organization’s environment.
 15"""
 16from = "now-3h"
 17interval = "15m"
 18license = "Elastic License v2"
 19machine_learning_job_id = "pad_okta_spike_in_group_application_assignment_changes"
 20name = "Spike in Group Application Assignment Change Events"
 21references = [
 22    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 23    "https://docs.elastic.co/en/integrations/pad"
 24]
 25risk_score = 21
 26rule_id = "3278313c-d6cd-4d49-aa24-644e1da6623c"
 27setup = """## Setup
 28
 29The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
 30
 31### Privileged Access Detection Setup
 32The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
 33
 34#### Prerequisite Requirements:
 35- Fleet is required for Privileged Access Detection.
 36- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 37- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
 38- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 39
 40#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
 41- Go to the Kibana homepage. Under Management, click Integrations.
 42- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
 43- Follow the instructions under the **Installation** section.
 44- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 45"""
 46severity = "low"
 47tags = [
 48    "Use Case: Privileged Access Detection",
 49    "Rule Type: ML",
 50    "Rule Type: Machine Learning",
 51    "Tactic: Privilege Escalation",
 52    "Resources: Investigation Guide"
 53]
 54type = "machine_learning"
 55note = """## Triage and analysis
 56
 57> **Disclaimer**:
 58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 59
 60### Investigating Spike in Group Application Assignment Change Events
 61
 62In modern environments, identity and access management systems like Okta manage user access to applications. Adversaries may exploit these systems by altering group application assignments to gain unauthorized access or escalate privileges. The detection rule leverages machine learning to identify unusual spikes in these changes, signaling potential misuse and enabling timely investigation of privilege escalation activities.
 63
 64### Possible investigation steps
 65
 66- Review the specific group application assignment change events that triggered the alert to identify which groups and applications were involved.
 67- Analyze the timeline of the changes to determine if there is a pattern or specific time frame when the spike occurred.
 68- Investigate the user accounts associated with the changes to assess if they have a history of suspicious activity or if they belong to high-risk roles.
 69- Check for any recent changes in group membership or application access policies that could explain the spike in assignment changes.
 70- Correlate the events with other security alerts or logs to identify any concurrent suspicious activities, such as failed login attempts or unusual access patterns.
 71- Consult with the IT or security team to verify if there were any legitimate administrative activities or changes that could have caused the spike.
 72
 73### False positive analysis
 74
 75- Routine administrative changes in group application assignments can trigger false positives. Regularly review and document these changes to differentiate them from suspicious activities.
 76- Automated processes or scripts that frequently update group assignments may cause spikes. Identify and whitelist these processes to prevent unnecessary alerts.
 77- Organizational restructuring or onboarding/offboarding activities can lead to increased group assignment changes. Temporarily adjust the detection thresholds or exclude these events during known periods of high activity.
 78- Changes related to application updates or migrations might be flagged. Coordinate with IT teams to schedule these changes and exclude them from monitoring during the update window.
 79- Frequent changes by trusted users or administrators can be excluded by creating exceptions for specific user accounts or roles, ensuring that only unexpected changes trigger alerts.
 80
 81### Response and remediation
 82
 83- Immediately isolate affected user accounts and groups to prevent further unauthorized access or privilege escalation.
 84- Revert any unauthorized group application assignments to their previous state to mitigate potential misuse.
 85- Conduct a thorough review of recent changes in group application assignments to identify any additional unauthorized modifications.
 86- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems or accounts have been compromised.
 87- Implement additional monitoring on the affected accounts and groups to detect any further suspicious activity.
 88- Review and update access controls and group assignment policies to prevent similar unauthorized changes in the future.
 89- Coordinate with the IT and security teams to ensure that all affected systems and applications are patched and secured against known vulnerabilities."""
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1098"
 94name = "Account Manipulation"
 95reference = "https://attack.mitre.org/techniques/T1098/"
 96
 97[[rule.threat.technique]]
 98id = "T1068"
 99name = "Exploitation for Privilege Escalation"
100reference = "https://attack.mitre.org/techniques/T1068/"
101
102[[rule.threat.technique]]
103id = "T1078"
104name = "Valid Accounts"
105reference = "https://attack.mitre.org/techniques/T1078/"
106
107[rule.threat.tactic]
108id = "TA0004"
109name = "Privilege Escalation"
110reference = "https://attack.mitre.org/tactics/TA0004/"```