Spike in Special Logon Events

  1[metadata]
  2creation_date = "2025/02/18"
  3integration = ["pad", "endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/02/18"
  6min_stack_version = "8.18.0"
  7min_stack_comments = "New PAD integration only available starting at 8.18.0."
  8
  9[rule]
 10anomaly_threshold = 75
 11author = ["Elastic"]
 12description = """
 13A machine learning job has detected a surge in special logon events for a user, indicating potential privileged access activity.
 14A sudden spike in these events could suggest an attacker or malicious insider gaining elevated access, possibly for lateral movement or privilege escalation.
 15"""
 16from = "now-3h"
 17interval = "15m"
 18license = "Elastic License v2"
 19machine_learning_job_id = "pad_windows_high_count_special_logon_events"
 20name = "Spike in Special Logon Events"
 21references = [
 22    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 23    "https://docs.elastic.co/en/integrations/pad"
 24]
 25risk_score = 21
 26rule_id = "097ef0b8-fb21-4e45-ad89-d81666349c6a"
 27setup = """## Setup
 28
 29The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows.
 30
 31### Privileged Access Detection Setup
 32The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
 33
 34#### Prerequisite Requirements:
 35- Fleet is required for Privileged Access Detection.
 36- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 37- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration.
 38- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 39- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 40
 41#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
 42- Go to the Kibana homepage. Under Management, click Integrations.
 43- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
 44- Follow the instructions under the **Installation** section.
 45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 46"""
 47severity = "low"
 48tags = [
 49    "Use Case: Privileged Access Detection",
 50    "Rule Type: ML",
 51    "Rule Type: Machine Learning",
 52    "Tactic: Privilege Escalation",
 53    "Resources: Investigation Guide"
 54]
 55type = "machine_learning"
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Spike in Special Logon Events
 62
 63Special logon events are crucial for tracking privileged access, often indicating administrative actions. Adversaries exploit these by gaining elevated access to perform unauthorized activities, such as lateral movement or privilege escalation. The detection rule leverages machine learning to identify unusual spikes in these events, signaling potential misuse and enabling timely investigation of suspicious privileged access activities.
 64
 65### Possible investigation steps
 66
 67- Review the user account associated with the spike in special logon events to determine if the account is expected to have privileged access.
 68- Check the time and frequency of the special logon events to identify any unusual patterns or times that deviate from the user's normal behavior.
 69- Investigate the source IP addresses and devices from which the special logon events originated to verify if they are known and trusted.
 70- Examine recent changes or activities performed by the user account to identify any unauthorized or suspicious actions that may indicate privilege escalation or lateral movement.
 71- Correlate the special logon events with other security alerts or logs, such as failed login attempts or changes in user permissions, to gather additional context and evidence of potential malicious activity.
 72
 73### False positive analysis
 74
 75- Regular administrative tasks by IT staff can trigger spikes in special logon events. To manage this, create exceptions for known administrative accounts that frequently perform legitimate privileged actions.
 76- Scheduled automated processes or scripts that require elevated access may cause false positives. Identify these processes and exclude them from the detection rule to prevent unnecessary alerts.
 77- Software updates or system maintenance activities often involve multiple privileged logons. Document these events and adjust the detection thresholds temporarily during known maintenance windows to reduce false positives.
 78- Users with roles that inherently require frequent privileged access, such as system administrators or security personnel, may trigger alerts. Maintain a list of such roles and apply exclusions where appropriate to avoid constant alerts for expected behavior.
 79
 80### Response and remediation
 81
 82- Immediately isolate the affected user account to prevent further unauthorized access. Disable the account or change its credentials to stop any ongoing malicious activity.
 83- Conduct a thorough review of recent activities associated with the affected account to identify any unauthorized changes or access to sensitive systems and data.
 84- If lateral movement is suspected, isolate any systems accessed by the compromised account to prevent further spread of the threat.
 85- Escalate the incident to the security operations center (SOC) or incident response team for a detailed investigation and to determine the full scope of the breach.
 86- Implement additional monitoring on the affected systems and accounts to detect any further suspicious activities or attempts to regain access.
 87- Review and update access controls and permissions to ensure that only necessary privileges are granted, reducing the risk of privilege escalation.
 88- Enhance detection capabilities by tuning existing monitoring tools to better identify similar spikes in special logon events, leveraging insights from the current incident."""
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1068"
 93name = "Exploitation for Privilege Escalation"
 94reference = "https://attack.mitre.org/techniques/T1068/"
 95
 96[[rule.threat.technique]]
 97id = "T1078"
 98name = "Valid Accounts"
 99reference = "https://attack.mitre.org/techniques/T1078/"
100
101[rule.threat.tactic]
102id = "TA0004"
103name = "Privilege Escalation"
104reference = "https://attack.mitre.org/tactics/TA0004/"```