Goal

Detects activity using penetration testing tool user agents across multiple cloud sources. Identifies reconnaissance activity using Kali Linux, Parrot OS, and Pentoo security testing platforms.

Strategy

This rule monitors activity across cloud environments for user agent strings associated with penetration testing platforms. The detection tracks @ocsf.class_uid:6003 events containing user agent patterns for Kali Linux, Parrot OS, and Pentoo security distributions. These platforms are commonly used by security researchers and attackers for reconnaissance, vulnerability assessment, and exploitation activities. The rule distinguishes between successful and failed requests to provide appropriate alert severity levels.

Triage & Response

• Examine the source IP address {{@ocsf.src_endpoint.ip}} to determine if the activity originates from authorized security testing or penetration testing engagements.
• Identify the specific user agent string used in the request to understand which penetration testing platform was detected.
• Review the target endpoints and services being accessed to assess the scope of potential reconnaissance activity.
• Check for additional reconnaissance activities from the same source IP address across other cloud services and applications.
• Determine if the activity aligns with scheduled security assessments or represents unauthorized penetration testing attempts.
• Validate the request status (successful vs failed) to understand the effectiveness of the reconnaissance attempt.