Elastic security

Description

This are ACSC Advisory IOCs detection rules for Elastic SIEM.

The Australian Cyber Security Centre (ACSC) recently published an advisory outlining tactics, techniques and procedures used against multiple Australian businesses in a recent campaign by a state based actor.

SIEM rules were created using the list of IOCs published by the ACSC to detect and alert on a potential attack.

IOCs often change rapidly during campaigns and should not solely be relied upon for detections. However, it can be useful to maintain a list of IOCs in case other lines of defence are bypassed by the adversary.

Note that the SIEM rules currently run every 60 minutes, looking back at events from the last 60 minutes. The rules currently do not run actions for every execution. If you need to act on detections, it would be a good idea to set the frequency to Hourly rather than on each rule execution, to reduce the amount of noise created.

Here is a full blog post on the campaign and Elastic Security.

Source

Originally found here: https://github.com/elastic/examples/tree/master/Security%20Analytics/ACSC2020-008_IOCs

Tested versions 7.13
ECS compliant Yes

You must log in to submit a review.

Related downloads

Sigma Windows inbuilt detection rules

A collection of rules based on the Sigma rules for Windows (inbuilt folder) based on Winlogbeat data .

Office 365 dashboards

A collection of Kibana dashboards to provide a holistic view of Microsoft Office 365 environments

Sigma detection rules for proxy server logs

A collection of rules based on the Sigma detection rules for proxy server and web server looks, e.g. zeek or suricata.

Sigma Elastic SIEM rules for web server logs

A collection of rules based on the Sigma detection rules for web server looks, e.g. apache, nginx or IIS.

Sigma Sysmon detection rules

A collection of rules based on the Sigma detection rules for Windows Sysmon events based on Winlogbeat data.

OpenSIEM Logstash Parsing

Logstash Parsing Configurations for Elastic SIEM parses many different sources into ECS

These downloads could be also interesting for you

Kibana alerting enhancement

This bundle enhances the Kibana alerting experience. Storing all relevant information in indices and visualize the data in dashboards.

Observability Kibana Dashboard

A single pane of glass dashboard for Logs, Metrics, APM data and business KPIs.

Impossible travel transform job

Impossible travel detection by calculating the distance between two login locations in combination with the time between the two logins

Cloudflare Kibana dashboards

Cloudflare dashboards and ingest pipelines to visualize cloudflare logs

Vega Clock UTC

This is a working clock visualization in UTC time.

Azure billing data network

A vega visualization that shows the connection between resource group, resource type and the resource itself based on Elastic agent azure billing data integration.