Spike in Group Management Events

  1[metadata]
  2creation_date = "2025/02/18"
  3integration = ["pad", "endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/02/18"
  6min_stack_version = "8.18.0"
  7min_stack_comments = "New PAD integration only available starting at 8.18.0."
  8
  9[rule]
 10anomaly_threshold = 75
 11author = ["Elastic"]
 12description = """
 13A machine learning job has identified a spike in group management events for a user, indicating potential privileged access activity.
 14The machine learning has flagged an abnormal rise in group management actions (such as adding or removing users from privileged groups),
 15which could point to an attempt to escalate privileges or unauthorized modifications to group memberships.
 16"""
 17from = "now-3h"
 18interval = "15m"
 19license = "Elastic License v2"
 20machine_learning_job_id = "pad_windows_high_count_group_management_events"
 21name = "Spike in Group Management Events"
 22references = [
 23    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 24    "https://docs.elastic.co/en/integrations/pad"
 25]
 26risk_score = 21
 27rule_id = "751b0329-7295-4682-b9c7-4473b99add69"
 28setup = """## Setup
 29
 30The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows.
 31
 32### Privileged Access Detection Setup
 33The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
 34
 35#### Prerequisite Requirements:
 36- Fleet is required for Privileged Access Detection.
 37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 38- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration.
 39- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 40- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 41
 42#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
 43- Go to the Kibana homepage. Under Management, click Integrations.
 44- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
 45- Follow the instructions under the **Installation** section.
 46- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 47"""
 48severity = "low"
 49tags = [
 50    "Use Case: Privileged Access Detection",
 51    "Rule Type: ML",
 52    "Rule Type: Machine Learning",
 53    "Tactic: Privilege Escalation",
 54    "Resources: Investigation Guide"
 55]
 56type = "machine_learning"
 57note = """## Triage and analysis
 58
 59> **Disclaimer**:
 60> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 61
 62### Investigating Spike in Group Management Events
 63
 64The detection of spikes in group management events leverages machine learning to monitor and identify unusual patterns in user activities related to group memberships. Adversaries may exploit this by adding or removing users from privileged groups to escalate privileges or alter access controls. The detection rule identifies these anomalies, flagging potential unauthorized modifications indicative of privilege escalation attempts.
 65
 66### Possible investigation steps
 67
 68- Review the specific user account associated with the spike in group management events to determine if the activity aligns with their typical behavior or role.
 69- Check the timeline of the group management events to identify any patterns or sequences that might suggest unauthorized access or privilege escalation attempts.
 70- Investigate the source IP addresses and devices used during the group management events to verify if they are consistent with the user's usual access points or if they indicate potential compromise.
 71- Examine recent changes to privileged groups, focusing on additions or removals of users, to assess if these modifications were authorized and necessary.
 72- Cross-reference the flagged events with any recent support tickets or change requests to confirm if the actions were legitimate and documented.
 73- Look for any other related alerts or anomalies in the same timeframe that might indicate a broader security incident or coordinated attack.
 74
 75### False positive analysis
 76
 77- Routine administrative tasks can trigger spikes in group management events, such as scheduled user onboarding or offboarding. To manage this, create exceptions for known periods of increased activity.
 78- Automated scripts or tools that manage group memberships might cause false positives. Identify these scripts and exclude their activities from the rule's monitoring.
 79- Changes in organizational structure, like department mergers, can lead to legitimate spikes. Document these changes and adjust the rule's sensitivity temporarily.
 80- Regular audits or compliance checks that involve group membership reviews may appear as anomalies. Schedule these activities and inform the monitoring team to prevent false alerts.
 81- High turnover rates in certain departments can result in frequent group changes. Monitor these departments separately and adjust thresholds accordingly.
 82
 83### Response and remediation
 84
 85- Immediately isolate the affected user account by disabling it to prevent further unauthorized group management activities.
 86- Review and audit recent changes to group memberships, focusing on privileged groups, to identify any unauthorized additions or removals.
 87- Revert any unauthorized changes to group memberships to restore the intended access controls.
 88- Conduct a thorough investigation to determine the source of the anomaly, including checking for compromised credentials or insider threats.
 89- Reset the password for the affected user account and enforce multi-factor authentication to enhance security.
 90- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
 91- Implement additional monitoring on the affected account and related privileged groups to detect any further suspicious activities."""
 92[[rule.threat]]
 93framework = "MITRE ATT&CK"
 94[[rule.threat.technique]]
 95id = "T1098"
 96name = "Account Manipulation"
 97reference = "https://attack.mitre.org/techniques/T1098/"
 98
 99[[rule.threat.technique]]
100id = "T1078"
101name = "Valid Accounts"
102reference = "https://attack.mitre.org/techniques/T1078/"
103
104[rule.threat.tactic]
105id = "TA0004"
106name = "Privilege Escalation"
107reference = "https://attack.mitre.org/tactics/TA0004/"```