Spike in User Lifecycle Management Change Events

  1[metadata]
  2creation_date = "2025/02/18"
  3integration = ["pad","okta"]
  4maturity = "production"
  5updated_date = "2025/02/18"
  6min_stack_version = "8.18.0"
  7min_stack_comments = "New PAD integration only available starting at 8.18.0."
  8
  9[rule]
 10anomaly_threshold = 75
 11author = ["Elastic"]
 12description = """
 13A machine learning job has identified an unusual spike in Okta user lifecycle management change events, indicating potential privileged access activity.
 14Threat actors may manipulate user accounts to gain higher access rights or persist within the environment.
 15"""
 16from = "now-3h"
 17interval = "15m"
 18license = "Elastic License v2"
 19machine_learning_job_id = "pad_okta_spike_in_user_lifecycle_management_changes"
 20name = "Spike in User Lifecycle Management Change Events"
 21references = [
 22    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 23    "https://docs.elastic.co/en/integrations/pad"
 24]
 25risk_score = 21
 26rule_id = "178770e0-5c20-4246-b430-e216a2888b23"
 27setup = """## Setup
 28
 29The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta.
 30
 31### Privileged Access Detection Setup
 32The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
 33
 34#### Prerequisite Requirements:
 35- Fleet is required for Privileged Access Detection.
 36- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 37- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration.
 38- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 39
 40#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
 41- Go to the Kibana homepage. Under Management, click Integrations.
 42- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
 43- Follow the instructions under the **Installation** section.
 44- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 45"""
 46severity = "low"
 47tags = [
 48    "Use Case: Privileged Access Detection",
 49    "Rule Type: ML",
 50    "Rule Type: Machine Learning",
 51    "Tactic: Privilege Escalation",
 52    "Resources: Investigation Guide"
 53]
 54type = "machine_learning"
 55note = """## Triage and analysis
 56
 57> **Disclaimer**:
 58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 59
 60### Investigating Spike in User Lifecycle Management Change Events
 61
 62User lifecycle management in environments like Okta involves creating, modifying, and deleting user accounts. Adversaries may exploit this by manipulating accounts to escalate privileges or maintain access. The detection rule leverages machine learning to identify unusual spikes in these events, signaling potential misuse. By focusing on anomalies, it aids in early detection of privilege escalation tactics.
 63
 64### Possible investigation steps
 65
 66- Review the specific user accounts involved in the lifecycle management change events to identify any patterns or anomalies, such as multiple changes in a short period or changes made by unusual sources.
 67- Check the timestamps of the change events to determine if they align with normal business hours or if they occurred during unusual times, which might indicate suspicious activity.
 68- Investigate the source IP addresses and locations associated with the change events to identify any unusual or unauthorized access points.
 69- Examine the types of changes made to the user accounts, such as privilege escalations or role modifications, to assess if they align with legitimate business needs.
 70- Cross-reference the user accounts involved with recent security alerts or incidents to determine if they have been previously flagged for suspicious activity.
 71- Consult with the account owners or relevant department heads to verify if the changes were authorized and necessary for business operations.
 72
 73### False positive analysis
 74
 75- Routine administrative tasks such as bulk user account updates or scheduled maintenance can trigger spikes in user lifecycle management events. To manage this, create exceptions for known maintenance windows or bulk operations.
 76- Automated processes or scripts that regularly modify user accounts may cause false positives. Identify these processes and exclude them from the detection rule to prevent unnecessary alerts.
 77- Onboarding or offboarding periods with high user account activity can lead to spikes. Adjust the detection thresholds temporarily during these periods or exclude specific user groups involved in these activities.
 78- Integration with third-party applications that frequently update user attributes might result in false positives. Review and whitelist these applications to reduce noise in the detection system.
 79
 80### Response and remediation
 81
 82- Immediately isolate the affected user accounts to prevent further unauthorized access or privilege escalation. This can be done by disabling the accounts or changing their passwords.
 83- Review and revoke any unauthorized permissions or roles that were assigned during the spike in user lifecycle management change events. Ensure that only legitimate access rights are restored.
 84- Conduct a thorough audit of recent user account changes to identify any additional accounts that may have been manipulated. Pay special attention to accounts with elevated privileges.
 85- Notify the security team and relevant stakeholders about the incident to ensure awareness and coordination for further investigation and response.
 86- Implement additional monitoring on the affected accounts and related systems to detect any further suspicious activity or attempts to regain unauthorized access.
 87- Escalate the incident to higher-level security management if the scope of the breach is extensive or if sensitive data may have been compromised.
 88- Review and update access management policies and procedures to prevent similar incidents in the future, ensuring that changes to user accounts are logged and regularly reviewed."""
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1098"
 93name = "Account Manipulation"
 94reference = "https://attack.mitre.org/techniques/T1098/"
 95
 96[[rule.threat.technique]]
 97id = "T1078"
 98name = "Valid Accounts"
 99reference = "https://attack.mitre.org/techniques/T1078/"
100
101[rule.threat.tactic]
102id = "TA0004"
103name = "Privilege Escalation"
104reference = "https://attack.mitre.org/tactics/TA0004/"```