Spike in Group Privilege Change Events

  1[metadata]
  2creation_date = "2025/02/18"
  3integration = ["pad","okta"]
  4maturity = "production"
  5updated_date = "2025/02/18"
  6min_stack_version = "8.18.0"
  7min_stack_comments = "New PAD integration only available starting at 8.18.0."
  8
  9[rule]
 10anomaly_threshold = 75
 11author = ["Elastic"]
 12description = """
 13A machine learning job has identified an unusual spike in Okta group privilege change events, indicating potential privileged access activity.
 14Attackers might be elevating privileges by adding themselves or compromised accounts to high-privilege groups, enabling further access or persistence.
 15"""
 16from = "now-3h"
 17interval = "15m"
 18license = "Elastic License v2"
 19machine_learning_job_id = "pad_okta_spike_in_group_privilege_changes"
 20name = "Spike in Group Privilege Change Events"
 21references = [
 22    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 23    "https://docs.elastic.co/en/integrations/pad"
 24]
 25risk_score = 21
 26rule_id = "02b4420d-eda2-4529-9e46-4a60eccb7e2d"
 27setup = """## Setup
 28
 29The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
 30
 31### Privileged Access Detection Setup
 32The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
 33
 34#### Prerequisite Requirements:
 35- Fleet is required for Privileged Access Detection.
 36- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 37- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
 38- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 39
 40#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
 41- Go to the Kibana homepage. Under Management, click Integrations.
 42- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
 43- Follow the instructions under the **Installation** section.
 44- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 45"""
 46severity = "low"
 47tags = [
 48    "Use Case: Privileged Access Detection",
 49    "Rule Type: ML",
 50    "Rule Type: Machine Learning",
 51    "Tactic: Privilege Escalation",
 52    "Resources: Investigation Guide"
 53]
 54type = "machine_learning"
 55note = """## Triage and analysis
 56
 57> **Disclaimer**:
 58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 59
 60### Investigating Spike in Group Privilege Change Events
 61
 62In environments using Okta, group privilege changes are crucial for managing access. Adversaries may exploit this by adding themselves to privileged groups, gaining unauthorized access. The detection rule leverages machine learning to identify unusual spikes in these events, signaling potential privilege escalation attempts, thus aiding in early threat detection and response.
 63
 64### Possible investigation steps
 65
 66- Review the specific group privilege change events identified by the machine learning job to determine which accounts were added to privileged groups.
 67- Cross-reference the accounts involved in the privilege changes with recent login activity to identify any unusual or suspicious access patterns.
 68- Check the history of privilege changes for the affected groups to see if there is a pattern of unauthorized access or if this is an isolated incident.
 69- Investigate the source IP addresses and locations associated with the privilege change events to identify any anomalies or unexpected geolocations.
 70- Examine any recent changes to the accounts involved, such as password resets or multi-factor authentication (MFA) modifications, to assess if they have been compromised.
 71- Collaborate with the affected users or their managers to verify if the privilege changes were authorized and legitimate.
 72
 73### False positive analysis
 74
 75- Routine administrative tasks may trigger spikes in group privilege changes. Regularly scheduled audits or updates to group memberships should be documented and excluded from alerts.
 76- Automated scripts or tools that manage user access can cause frequent changes. Identify these scripts and create exceptions for their activity to prevent false positives.
 77- Organizational restructuring or mergers often lead to bulk updates in group privileges. During these periods, temporarily adjust the sensitivity of the detection rule or whitelist specific activities.
 78- Onboarding or offboarding processes can result in a high volume of legitimate group changes. Coordinate with HR and IT to anticipate these events and adjust monitoring accordingly.
 79- Changes in security policies or compliance requirements might necessitate widespread privilege adjustments. Ensure these policy-driven changes are communicated to the security team to avoid unnecessary alerts.
 80
 81### Response and remediation
 82
 83- Immediately isolate the affected accounts by removing them from any high-privilege groups to prevent further unauthorized access.
 84- Conduct a thorough review of recent group membership changes in Okta to identify any other unauthorized privilege escalations.
 85- Reset passwords and enforce multi-factor authentication for the affected accounts to secure them against further compromise.
 86- Notify the security team and relevant stakeholders about the incident for awareness and potential escalation if further suspicious activity is detected.
 87- Implement additional monitoring on the affected accounts and privileged groups to detect any further unauthorized changes or access attempts.
 88- Review and update access control policies to ensure that only authorized personnel can modify group memberships, reducing the risk of future privilege escalation.
 89- Document the incident, including all actions taken, to improve response strategies and inform future security measures."""
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1098"
 94name = "Account Manipulation"
 95reference = "https://attack.mitre.org/techniques/T1098/"
 96
 97[[rule.threat.technique]]
 98id = "T1068"
 99name = "Exploitation for Privilege Escalation"
100reference = "https://attack.mitre.org/techniques/T1068/"
101
102[[rule.threat.technique]]
103id = "T1078"
104name = "Valid Accounts"
105reference = "https://attack.mitre.org/techniques/T1078/"
106
107[rule.threat.tactic]
108id = "TA0004"
109name = "Privilege Escalation"
110reference = "https://attack.mitre.org/tactics/TA0004/"```