[Rule Tuning] Rule Tunings to add T1078 technique and subtechniques (#2530)

imays11 · github-actions[bot] · commit 7a76c48dd7d4 · 2023-02-08T16:23:50.000Z
- add sub-techniques and techniques (cherry picked from commit 443478c)
diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/06/10"
 maturity = "production"
-updated_date = "2023/01/30"
+updated_date = "2023/02/07"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -52,7 +52,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
 risk_score = 21
 rule_id = "e26aed74-c816-40d3-a810-48d6fbd8b2fd"
 severity = "low"
-tags = ["Elastic", "Authentication", "Threat Detection", "ML", "Credential Access"]
+tags = ["Elastic", "Authentication", "Threat Detection", "ML", "Credential Access", "Defense Evasion"]
 type = "machine_learning"
 
 [[rule.threat]]
@@ -66,4 +66,24 @@ reference = "https://attack.mitre.org/techniques/T1110/"
 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
-reference = "https://attack.mitre.org/tactics/TA0006/"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.002"
+name = "Domain Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/002/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.003"
+name = "Local Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/003/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/06/10"
 maturity = "production"
-updated_date = "2023/01/30"
+updated_date = "2023/02/07"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -62,7 +62,14 @@ framework = "MITRE ATT&CK"
 id = "T1078"
 name = "Valid Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/"
-
+[[rule.threat.technique.subtechnique]]
+id = "T1078.002"
+name = "Domain Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/002/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.003"
+name = "Local Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/003/"
 
 [rule.threat.tactic]
 id = "TA0001"
diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/25"
 maturity = "production"
-updated_date = "2022/08/24"
+updated_date = "2023/02/07"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
 
@@ -50,7 +50,14 @@ framework = "MITRE ATT&CK"
 id = "T1078"
 name = "Valid Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/"
-
+[[rule.threat.technique.subtechnique]]
+id = "T1078.002"
+name = "Domain Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/002/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.003"
+name = "Local Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/003/"
 
 [rule.threat.tactic]
 id = "TA0001"
