Unusual Sudo Activity

 1[metadata]
 2creation_date = "2020/09/03"
 3integration = ["auditd_manager", "endpoint"]
 4maturity = "production"
 5updated_date = "2023/07/27"
 6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 7min_stack_version = "8.3.0"
 8
 9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or
14it could be a sign of credentialed access via compromised accounts.
15"""
16false_positives = [
17    """
18    Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual
19    troubleshooting or reconfiguration.
20    """,
21]
22from = "now-45m"
23interval = "15m"
24license = "Elastic License v2"
25machine_learning_job_id = ["v3_linux_rare_sudo_user"]
26name = "Unusual Sudo Activity"
27risk_score = 21
28rule_id = "1e9fc667-9ff1-4b33-9f40-fefca8537eb0"
29severity = "low"
30tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"]
31type = "machine_learning"
32[[rule.threat]]
33framework = "MITRE ATT&CK"
34[[rule.threat.technique]]
35id = "T1548"
36name = "Abuse Elevation Control Mechanism"
37reference = "https://attack.mitre.org/techniques/T1548/"
38
39
40[rule.threat.tactic]
41id = "TA0005"
42name = "Defense Evasion"
43reference = "https://attack.mitre.org/tactics/TA0005/"
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1548"
48name = "Abuse Elevation Control Mechanism"
49reference = "https://attack.mitre.org/techniques/T1548/"
50
51
52[rule.threat.tactic]
53id = "TA0004"
54name = "Privilege Escalation"
55reference = "https://attack.mitre.org/tactics/TA0004/"