Add FreeIPA detection rules (26 rules across 4 data streams)#5896
Draft
Oddly wants to merge 2 commits intoelastic:mainfrom
Draft
Add FreeIPA detection rules (26 rules across 4 data streams)#5896Oddly wants to merge 2 commits intoelastic:mainfrom
Oddly wants to merge 2 commits intoelastic:mainfrom
Conversation
Oddly
force-pushed
the
freeipa-detection-rules
branch
from
fcb300c to
bb4f4ec
Compare
First detection rule coverage for FreeIPA identity management, covering Kerberos authentication attacks, LDAP abuse, IPA API privilege escalation, certificate infrastructure manipulation, and domain policy modification. All rules use ES|QL queries with setup guides, investigation guides, investigation_fields, and MITRE ATT&CK mappings across 9 tactics. All 16 rules confirmed firing on attack simulations against a live FreeIPA 4.12.2 environment with Elastic Agent 9.3.2, with zero false positives from normal operations after tuning. Key findings from live testing: FreeIPA accounts lock out after a few PREAUTH_FAILED errors so the brute force rule counts all failure types; LDAP BIND and RESULT are separate log events so bind brute force matches RESULT tag=97; the IPA API uses ipauserauthtype not user_auth_type as the parameter name; CA role assumption by ipara/pkidbuser is internal and excluded; KDC krbMKey queries to cn=kerberos are internal and excluded.
Oddly
force-pushed
the
freeipa-detection-rules
branch
14 times, most recently
from
74074d6 to
4b58cf0
Compare
Second wave of FreeIPA detection rules using ES|QL LOOKUP JOIN and new_terms rule types for detections that require cross-event correlation or behavioral baselines. LOOKUP JOIN rules (5) use the existing latest_bind transform to enrich directory_access RESULT events with the authenticated identity from the corresponding BIND event. This enables rules that were previously impossible due to BIND and RESULT being separate log events: - Anonymous LDAP enumeration: join to identify anonymous sessions - Credential attribute search by external user: exclude internal FreeIPA operations by bind DN - Mass enumeration by non-service account: filter out SSSD and host principal queries, flag human-initiated enumeration - CVE-2025-7493 krbCanonicalName modification: detect principal spoofing with authenticated identity context - LDAP configuration modification: detect cn=config changes with who made the change new_terms rules (4) use 14-30 day history windows to detect first occurrences of security-relevant activity: - First Kerberos auth from new source IP per principal - First administrative API command for a user - New host enrollment from previously unseen source IP - New constrained delegation (S4U2Proxy) client-service pair 24-hour aggregation rules (2) catch patient attacks that stay below per-interval thresholds: - Slow brute force: 50+ failures per principal over 24 hours - Slow password spray: 50+ failures across 10+ principals over 24 hours
Oddly
force-pushed
the
freeipa-detection-rules
branch
from
4b58cf0 to
48a9393
Compare
Oddly
changed the title
Author
|
Two detection rules don't have working E2E tests yet, I'd appreciate input or help on these:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
First detection rule coverage for FreeIPA (Red Hat IdM). 26 rules (20 ES|QL, 4 new_terms, 2 threshold) covering Kerberos authentication attacks, LDAP abuse, IPA API privilege escalation, certificate manipulation, and constrained delegation across 9 MITRE ATT&CK tactics.
All rules tested against a live FreeIPA 4.12.2 environment with Elastic Agent and confirmed firing. Zero false positives from normal operations after tuning.
Depends on the FreeIPA integration (elastic/integrations#17812) which collects from five FreeIPA subsystems: Kerberos KDC, 389 Directory Server (access + errors), Dogtag CA, and IPA JSON API.
Rules by data stream:
KDC (
logs-freeipa.kdc-*) — 8 rules: brute force, password spraying, principal enumeration, account lockout storm, first auth from new source IP, S4U2Proxy from new client, slow brute force (24h), slow spray (24h).LDAP (
logs-freeipa.directory_access-*) — 6 rules: bind brute force, mass data exfiltration, anonymous enumeration, non-service account enumeration (LOOKUP JOIN), credential attribute search by external user (LOOKUP JOIN), server config modification.IPA API (
logs-freeipa.ipa_api-*) — 10 rules: password reset, admin group membership, RBAC modification, OTP token manipulation, auth type downgrade, password policy weakening, AD trust modification, mass account disable/deletion, new host enrollment from new IP, first API command by new user.CA (
logs-freeipa.ca_audit-*) — 2 rules: bulk certificate revocation, CA role assumption (excludingipara/pkidbuserservice accounts).Notable implementation details:
tag_number == 97(bind response), not BIND events which lack result codes.investigation_fields, and false positive documentation.Test suite at Oddly/freeipa-detection-tests.