Exploit - Prevented - Elastic Endgame

 1[metadata]
 2creation_date = "2020/02/18"
 3maturity = "production"
 4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 5min_stack_version = "8.3.0"
 6updated_date = "2024/01/17"
 7promotion = true
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the
13rule.reference column for additional information.
14"""
15from = "now-15m"
16index = ["endgame-*"]
17interval = "10m"
18language = "kuery"
19license = "Elastic License v2"
20max_signals = 10000
21name = "Exploit - Prevented - Elastic Endgame"
22risk_score = 47
23rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036"
24severity = "medium"
25tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"]
26type = "query"
27timestamp_override = "event.ingested"
28
29query = '''
30event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)
31'''
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35
36[rule.threat.tactic]
37id = "TA0002"
38name = "Execution"
39reference = "https://attack.mitre.org/tactics/TA0002/"
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1068"
45name = "Exploitation for Privilege Escalation"
46reference = "https://attack.mitre.org/techniques/T1068/"
47
48[rule.threat.tactic]
49id = "TA0004"
50name = "Privilege Escalation"
51reference = "https://attack.mitre.org/tactics/TA0004/"```