This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
Permission Theft - Prevented - Elastic Endgame
editPermission Theft - Prevented - Elastic Endgame
editElastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.
Rule type: query
Rule indices:
- endgame-*
Severity: medium
Risk score: 47
Runs every: 10m
Searches indices from: now-15m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 10000
References: None
Tags:
- Elastic
- Elastic Endgame
- Threat Detection
- Privilege Escalation
Version: 9
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Access Token Manipulation
- ID: T1134
- Reference URL: https://attack.mitre.org/techniques/T1134/