[BUG] ESCU - Get ADUser with PowerShell - Rule has no Adaptive Reponse Actions

Question

[BUG] ESCU - Get ADUser with PowerShell - Rule has no Adaptive Reponse Actions

albertenc13 opened this issue a year ago · 3 comments

Is it normal that the ESCU - Get ADUser with PowerShell - Rule has no Adaptive Reponse Actions (DA-ESS-ContentUpdate 4.24.0)?

Answer 1 · 2024-02-23T14:31:04.000Z

Hi @albertenc13

Thanks for reaching out. The Get ADUser with Powershell rule is configured as designed.

There are several analytics that ship within ESCU that do not have an Adaptive Response Action. These are all "Hunting" type analytics, which means they're written with the intent to be used to help with Threat Hunting, run interactively by an analyst familiar enough with the environment to recognize what activity returned by it is "normal" or "not normal" for them. Alternatively, users can build a dashboard around the analytic that can have additional searches to provide more context or to provide instructions to the analyst interpreting the results.

You can read more about the different types of analytics within ESCU, and how that type influences the adaptive response actions that are preconfigured here.

Answer 2 · 2024-02-29T21:11:16.000Z

@albertenc13 hope this helps, would love to hear any feedback you have but otherwise for now I will close this issue.

Answer 3 · 2024-02-29T21:15:41.000Z

Hi @josehelps and @ljstella this is actually very useful and informative! thank you so mcuh for all of the hardwork you guys put into creating these detections specially for small teams like mine where we do not have a detection engeerning team!!