elastic
diff --git a/‎rules/integrations/freeipa/credential_access_freeipa_ldap_credential_search.toml‎
Lines changed: 119 additions & 0 deletions b/‎rules/integrations/freeipa/credential_access_freeipa_ldap_credential_search.toml‎
Lines changed: 119 additions & 0 deletions
diff --git a/‎rules/integrations/freeipa/credential_access_freeipa_new_s4u2proxy_delegation.toml‎
Lines changed: 115 additions & 0 deletions b/‎rules/integrations/freeipa/credential_access_freeipa_new_s4u2proxy_delegation.toml‎
Lines changed: 115 additions & 0 deletions
diff --git a/‎rules/integrations/freeipa/credential_access_freeipa_slow_brute_force.toml‎
Lines changed: 115 additions & 0 deletions b/‎rules/integrations/freeipa/credential_access_freeipa_slow_brute_force.toml‎
Lines changed: 115 additions & 0 deletions
@@ -0,0 +1,119 @@
+[metadata]
+creation_date = "2026/03/28"
+integration = ["freeipa"]
+maturity = "development"
+min_stack_comments = "ES|QL LOOKUP JOIN requires 8.19+ for GA support with lookup-mode indices."
+min_stack_version = "8.19.0"
+updated_date = "2026/03/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects LDAP searches for credential attributes (userPassword, krbPrincipalKey, ipaNTHash, krbMKey) by non-internal
+users. These attributes contain password hashes, Kerberos keys, and NT hashes that can be cracked offline. Uses
+LOOKUP JOIN with the latest_bind transform to identify the authenticated identity and exclude internal FreeIPA
+operations such as Directory Manager and Kerberos subsystem searches.
+"""
+false_positives = [
+    """
+    FreeIPA internal processes (ipa-kdb, certmonger) may search for credential attributes during normal operations.
+    These use bind DNs under cn=kerberos or cn=Directory Manager and are excluded. Custom LDAP scripts performing
+    password auditing may trigger this rule — add their bind DNs to the exclusion list.
+    """,
+]
+from = "now-9m"
+interval = "5m"
+language = "esql"
+license = "Elastic License v2"
+name = "FreeIPA LDAP Credential Attribute Search by External User"
+note = """## Triage and analysis
+
+### Investigating FreeIPA LDAP Credential Attribute Search by External User
+
+FreeIPA stores credential material in LDAP attributes that are normally ACL-protected. Searches explicitly requesting these attributes indicate an attempt to extract password hashes or Kerberos keys for offline cracking. Internal FreeIPA processes access these attributes routinely, but any external user or non-standard bind DN doing so is highly suspicious.
+
+### Possible investigation steps
+
+- Identify the authenticated user from `freeipa.directory.bind_dn` — this is the account performing the search.
+- Check `freeipa.directory.filter` to understand exactly which credential attributes were requested.
+- Review `source.ip` to determine where the search originated.
+- Check if the bind DN has been compromised by reviewing recent authentication events for that principal.
+- Look for follow-up activity indicating offline cracking succeeded — new authentications for the targeted accounts from unusual sources.
+
+### Response and remediation
+
+- Immediately reset the password for the bind DN performing the search.
+- Rotate Kerberos keys for any principals whose krbPrincipalKey was exposed.
+- Review LDAP ACIs to ensure credential attributes are not readable by non-admin users.
+- Block the source IP if external or unauthorized.
+- Consider enabling audit logging for sensitive attribute access in 389 DS.
+"""
+references = [
+    "https://attack.mitre.org/techniques/T1552/001/",
+    "https://specterops.io/blog/2019/12/04/attacking-freeipa-part-ii-enumeration/",
+]
+risk_score = 99
+rule_id = "fb49e9de-f62b-41ad-9a37-40fed994c491"
+setup = """## Setup
+
+This rule requires the FreeIPA integration to be installed and configured to collect logs from FreeIPA servers.
+
+### FreeIPA Integration Setup
+1. Install the FreeIPA integration in Kibana Fleet.
+2. Add the integration to an Elastic Agent policy deployed on your FreeIPA server(s).
+3. Ensure the relevant log paths are accessible:
+   - 389DS access: `/var/log/dirsrv/slapd-*/access` (directory_access data stream)
+
+This rule requires the `latest_bind` transform to be running. Verify the transform is running: `GET _transform/logs-freeipa-latest-bind/_stats`. The destination index must use `index.mode: lookup`. See the integration README for setup instructions.
+"""
+severity = "critical"
+tags = [
+    "Domain: Identity",
+    "Data Source: FreeIPA",
+    "Data Source: FreeIPA Directory Server",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+from logs-freeipa.directory_access-*
+| where freeipa.directory.operation == "SRCH"
+    and freeipa.directory.scope == "sub"
+    and freeipa.directory.filter == "(userPassword=*)"
+| LOOKUP JOIN freeipa-lookup-bind ON freeipa.directory.connection_id
+    | KEEP @timestamp, freeipa.*, source.ip, user.*, observer.*, host.name, event.action, event.outcome, event.kind, event.category, event.type, event.module
+| where not freeipa.directory.bind_dn in ("cn=Directory Manager", "cn=directory manager")
+    and not freeipa.directory.bind_dn like "*cn=kerberos,*"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1552"
+name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
+[[rule.threat.technique.subtechnique]]
+id = "T1552.001"
+name = "Credentials In Files"
+reference = "https://attack.mitre.org/techniques/T1552/001/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "source.ip",
+    "freeipa.directory.bind_dn",
+    "freeipa.directory.connection_id",
+    "freeipa.directory.filter",
+    "freeipa.directory.base_dn",
+    "freeipa.directory.scope",
+]
@@ -0,0 +1,115 @@
+[metadata]
+creation_date = "2026/03/28"
+integration = ["freeipa"]
+maturity = "development"
+updated_date = "2026/03/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the first time a constrained delegation (S4U2Proxy) is used to impersonate a particular client for a
+particular service. New delegation relationships that haven't been seen in the past 14 days may indicate abuse of
+delegation privileges. Constrained delegation allows a service to request tickets on behalf of a user, and
+unauthorized new delegation pairs can enable lateral movement and privilege escalation.
+"""
+false_positives = [
+    """
+    Legitimate constrained delegation occurs in environments using web applications with Kerberos SSO (e.g., HTTP
+    services delegating to LDAP or CIFS). New delegation pairs may appear when new services are deployed or when
+    users access delegated services for the first time. Review the service principal's delegation configuration.
+    """,
+]
+from = "now-9m"
+index = ["logs-freeipa.kdc-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "FreeIPA New Constrained Delegation (S4U2Proxy) for Client"
+note = """## Triage and analysis
+
+### Investigating FreeIPA New Constrained Delegation (S4U2Proxy) for Client
+
+Constrained delegation (S4U2Proxy) allows a service principal to request Kerberos tickets on behalf of a user for specific target services. This is configured via msDS-AllowedToDelegateTo or its FreeIPA equivalent. If an attacker gains control of a service principal with delegation privileges, they can impersonate any user to the allowed target services. A new client-service delegation pair that hasn't been seen before may indicate abuse.
+
+### Possible investigation steps
+
+- Identify the impersonated client from `freeipa.kdc.s4u_client` and the target service from `freeipa.kdc.service_principal`.
+- Verify the service principal's delegation configuration matches the observed delegation pair.
+- Check if the s4u_client is a high-value target (admin, service account with elevated privileges).
+- Review who modified the service principal's delegation settings recently via IPA API events.
+- Correlate with other activity from the service principal's host to determine if it has been compromised.
+
+### Response and remediation
+
+- If unauthorized, remove the delegation privilege from the service principal using `ipa service-mod`.
+- Revoke active tickets for both the service principal and the impersonated client.
+- Investigate the service principal's host for signs of compromise.
+- Review all constrained delegation configurations in the domain with `ipa service-find --with-delegation`.
+"""
+references = [
+    "https://attack.mitre.org/techniques/T1550/003/",
+    "https://www.thehacker.recipes/ad/movement/kerberos/delegations/constrained",
+]
+risk_score = 73
+rule_id = "27304633-f55a-42dc-92bb-05aba996bfe7"
+setup = """## Setup
+
+This rule requires the FreeIPA integration to be installed and configured to collect logs from FreeIPA servers.
+
+### FreeIPA Integration Setup
+1. Install the FreeIPA integration in Kibana Fleet.
+2. Add the integration to an Elastic Agent policy deployed on your FreeIPA server(s).
+3. Ensure the relevant log paths are accessible:
+   - KDC: `/var/log/krb5kdc.log` (kdc data stream)
+"""
+severity = "high"
+tags = [
+    "Domain: Identity",
+    "Data Source: FreeIPA",
+    "Data Source: FreeIPA KDC",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "freeipa.kdc" and freeipa.kdc.s4u_client: *
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1550"
+name = "Use Alternate Authentication Material"
+reference = "https://attack.mitre.org/techniques/T1550/"
+[[rule.threat.technique.subtechnique]]
+id = "T1550.003"
+name = "Pass the Ticket"
+reference = "https://attack.mitre.org/techniques/T1550/003/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "source.ip",
+    "freeipa.kdc.s4u_client",
+    "freeipa.kdc.service_principal",
+    "freeipa.kdc.client_principal",
+    "freeipa.kdc.request_type",
+    "event.outcome",
+]
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["freeipa.kdc.s4u_client", "freeipa.kdc.service_principal"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
@@ -0,0 +1,115 @@
+[metadata]
+creation_date = "2026/03/28"
+integration = ["freeipa"]
+maturity = "development"
+updated_date = "2026/03/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects a high number of Kerberos authentication failures for a single principal from a single source IP over a
+24-hour period. This catches patient brute force attacks that stay below the per-interval threshold of the standard
+brute force rule by spreading attempts across hours. The 24-hour bucket aggregation reveals slow-and-low credential
+guessing that would otherwise evade shorter detection windows.
+"""
+false_positives = [
+    """
+    A misconfigured service with an expired or incorrect keytab may generate sustained low-rate authentication
+    failures over 24 hours. Identify and fix the misconfigured service or exclude its source IP and principal.
+    """,
+]
+from = "now-25h"
+interval = "1h"
+language = "kuery"
+license = "Elastic License v2"
+name = "FreeIPA Slow Kerberos Brute Force Over 24 Hours"
+note = """## Triage and analysis
+
+### Investigating FreeIPA Slow Kerberos Brute Force Over 24 Hours
+
+Sophisticated attackers spread brute force attempts over long periods to avoid detection by short-window threshold rules. By aggregating failures into 24-hour buckets, this rule catches patient attacks that generate fewer than 25 failures per 5-minute window but accumulate significantly over a day. This is a common technique to stay below account lockout thresholds.
+
+### Possible investigation steps
+
+- Identify the targeted principal from `freeipa.kdc.client_principal` and determine its value (admin, service account, regular user).
+- Check `source.ip` and `source.geo` for the origin. External sources are high risk.
+- Review the distribution of failures over the 24-hour period — evenly spread failures suggest automated tooling, while clustered failures suggest manual attempts.
+- Check if any successful authentication occurred for the same principal from the same source, indicating the brute force may have succeeded.
+- Compare with the standard brute force rule to confirm this was below the short-window threshold.
+
+### Response and remediation
+
+- Block the source IP at the network perimeter.
+- Reset the targeted principal's password if there is any chance of compromise.
+- Review and lower account lockout thresholds if the current policy allows too many attempts.
+- Enable FreeIPA OTP/2FA for the targeted account if it is high-value.
+- Monitor for follow-up activity from the source IP.
+"""
+references = [
+    "https://attack.mitre.org/techniques/T1110/001/",
+    "https://specterops.io/blog/2019/11/25/attacking-freeipa-part-i-authentication/",
+]
+risk_score = 73
+rule_id = "449a8017-a606-4c89-a678-c4369c218a02"
+setup = """## Setup
+
+This rule requires the FreeIPA integration to be installed and configured to collect logs from FreeIPA servers.
+
+### FreeIPA Integration Setup
+1. Install the FreeIPA integration in Kibana Fleet.
+2. Add the integration to an Elastic Agent policy deployed on your FreeIPA server(s).
+3. Ensure the relevant log paths are accessible:
+   - KDC: `/var/log/krb5kdc.log` (kdc data stream)
+"""
+severity = "high"
+tags = [
+    "Domain: Identity",
+    "Data Source: FreeIPA",
+    "Data Source: FreeIPA KDC",
+    "Use Case: Threat Detection",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Credential Access",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+index = ["logs-freeipa.kdc-*"]
+type = "threshold"
+
+query = '''
+event.dataset: "freeipa.kdc" and event.outcome: "failure"
+'''
+
+
+
+[rule.threshold]
+field = ["freeipa.kdc.client_principal", "source.ip"]
+value = 50
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1110"
+name = "Brute Force"
+reference = "https://attack.mitre.org/techniques/T1110/"
+[[rule.threat.technique.subtechnique]]
+id = "T1110.001"
+name = "Password Guessing"
+reference = "https://attack.mitre.org/techniques/T1110/001/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "source.ip",
+    "source.geo.country_name",
+    "freeipa.kdc.client_principal",
+    "freeipa.kdc.error_code",
+    "event.outcome",
+    "Esql.failure_count",
+    "day_bucket",
+]