[Rule Tuning] Some Tunings of several 8.9 rules (#2985)

* [Rule Tuning] Doing some quick tunings * updated_date bump * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_sysctl_enumeration.toml * Update rules/linux/persistence_init_d_file_creation.toml * Update rules/linux/persistence_rc_script_creation.toml * Update rules/linux/persistence_shared_object_creation.toml * deprecate rule * deprecate rule * Update execution_abnormal_process_id_file_created.toml * Update discovery_kernel_module_enumeration_via_proc.toml * Update discovery_linux_modprobe_enumeration.toml * Update execution_remote_code_execution_via_postgresql.toml * Update discovery_potential_syn_port_scan_detected.toml * Added 2 tunings, sorry I missed those.. * One more tune * Update discovery_suspicious_proc_enumeration.toml (cherry picked from commit a7ff449)
elastic · Aug 3, 2023 · 07cea18 · 07cea18
1 parent 69d28e0
commit 07cea18
Show file tree

Hide file tree

Showing 23 changed files with 128 additions and 109 deletions.
diff --git a/...tion_attempt_by_non_ssh_root_session.toml → ...tion_attempt_by_non_ssh_root_session.toml b/...tion_attempt_by_non_ssh_root_session.toml → ...tion_attempt_by_non_ssh_root_session.toml
@@ -1,10 +1,11 @@
 [metadata]
 creation_date = "2022/05/16"
+deprecation_date = "2023/07/31"
 integration = ["endpoint"]
-maturity = "production"
+maturity = "deprecated"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]

diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/06/22"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
@@ -88,15 +88,14 @@ and source.ip : (
         "FF00::/8")
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1071"
 name = "Application Layer Protocol"
 reference = "https://attack.mitre.org/techniques/T1071/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
@@ -105,8 +104,7 @@ reference = "https://attack.mitre.org/tactics/TA0011/"
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["destination.ip", "process.executable"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-2d"
-
-
+value = "now-7d"
diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml
@@ -2,9 +2,9 @@
 creation_date = "2020/04/23"
 integration = ["endpoint"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
+min_stack_version = "8.6.0"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
@@ -21,35 +21,40 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
-language = "eql"
+language = "kuery"
 license = "Elastic License v2"
 name = "Enumeration of Kernel Modules"
 risk_score = 47
 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504"
 severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
 timestamp_override = "event.ingested"
-type = "eql"
-
+type = "new_terms"
 query = '''
-process where host.os.type == "linux" and event.type == "start" and 
-((process.name == "kmod" and process.args == "list") or (process.name == "modinfo" and process.parent.user.id != "0") or 
-(process.name == "depmod" and process.args in ("--all", "-a") and process.parent.user.id != "0") 
-or process.name == "lsmod") and not process.parent.name : ("vboxmanage", "virtualbox", "prime-offload", "vboxdrv.sh") and not 
-process.group_leader.name : "qualys-cloud-agent"
+event.category:process and host.os.type:linux and event.type:start and (
+ (process.name:(lsmod or modinfo)) or 
+ (process.name:kmod and process.args:list) or 
+ (process.name:depmod and process.args:(--all or -a))
+) and not process.parent.user.id:0
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
+
 id = "T1082"
 name = "System Information Discovery"
 reference = "https://attack.mitre.org/techniques/T1082/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
 
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["process.parent.name", "host.id"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
diff --git a/rules/linux/discovery_kernel_module_enumeration_via_proc.toml b/rules/linux/discovery_kernel_module_enumeration_via_proc.toml
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/12"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
@@ -41,29 +41,29 @@ For this detection rule to trigger, the following additional audit rules are req
 ```
 Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
 """
-risk_score = 47
+risk_score = 21
 rule_id = "80084fa9-8677-4453-8680-b891d3c0c778"
-severity = "medium"
+severity = "low"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-file where host.os.type == "linux" and event.action == "opened-file" and 
-file.path == "/proc/modules" and not process.parent.pid == 1
+file where host.os.type == "linux" and event.action == "opened-file" and file.path == "/proc/modules" and not 
+(
+  process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "SchedulerRunner", "grep") or 
+  process.parent.pid == 1 or process.title : "*grep*"
+)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1082"
 name = "System Information Discovery"
 reference = "https://attack.mitre.org/techniques/T1082/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
-
diff --git a/rules/linux/discovery_linux_modprobe_enumeration.toml b/rules/linux/discovery_linux_modprobe_enumeration.toml
@@ -4,15 +4,15 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/06"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
 description = """
-Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized 
-access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or 
-unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities 
-within the system.
+Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or 
+manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized
+kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the 
+system.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
@@ -47,9 +47,12 @@ tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and
+file where host.os.type == "linux" and event.action == "opened-file" and
 file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not 
-(process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod") or process.title : ("*grep*") or process.parent.pid == 1)
+(
+  process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp") or 
+  process.title : "*grep*" or process.parent.pid == 1
+)
 '''
 
 [[rule.threat]]

diff --git a/rules/linux/discovery_linux_sysctl_enumeration.toml b/rules/linux/discovery_linux_sysctl_enumeration.toml
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/06"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
@@ -48,7 +48,8 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and
-file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and not process.name == "auditbeat"
+file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and 
+not process.name in ("auditbeat", "systemd-sysctl")
 '''
 
 [[rule.threat]]

diff --git a/rules/linux/discovery_suspicious_proc_enumeration.toml b/rules/linux/discovery_suspicious_proc_enumeration.toml
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/09"
+updated_date = "2023/08/03"
 
 [rule]
 author = ["Elastic"]
@@ -38,16 +38,17 @@ For this detection rule to trigger, the following additional audit rules are req
 
 Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
 """
-risk_score = 47
+risk_score = 21
 rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd"
-severity = "medium"
+severity = "low"
 tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
 timestamp_override = "event.ingested"
 type = "threshold"
 
 query = '''
 host.os.type : "linux" and event.category : "file" and event.action : "opened-file" and 
-file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.parent.pid : 1
+file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : "pidof" and 
+not process.parent.pid : 1
 '''
 
 [[rule.threat]]
@@ -72,4 +73,4 @@ field = ["host.id", "process.pid", "process.name"]
 value = 1
 [[rule.threshold.cardinality]]
 field = "file.path"
-value = 25
+value = 100
diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/06/22"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
@@ -80,11 +80,12 @@ type = "new_terms"
 
 query = '''
 host.os.type : "linux" and event.category : "file" and event.action : ("creation" or "file_create_event") and
-user.id : "0" and file.path : (/var/run/* or /run/*) and file.extension : ("pid" or "lock" or "reboot") and not 
-file.name : ("auditd.pid" or "python*" or "apport.pid" or "apport.lock" or "kworker*" or "gdm3.pid" or "sshd.pid" or 
+user.id : "0" and file.extension : ("pid" or "lock" or "reboot") and file.path : (/var/run/* or /run/*) and not 
+file.name : ("auditd.pid" or python* or "apport.pid" or "apport.lock" or kworker* or "gdm3.pid" or "sshd.pid" or 
 "acpid.pid" or "unattended-upgrades.lock" or "unattended-upgrades.pid" or "cmd.pid" or "yum.pid" or "netconfig.pid" or 
 "docker.pid" or "atd.pid" or "lfd.pid" or "atop.pid" or "nginx.pid" or "dhclient.pid" or "smtpd.pid" or "stunnel.pid" or 
-"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid")
+"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid" or "winbindd.pid" or "chronyd.pid") and
+not process.name : ("runc" or "ufw" or "snapd" or "snap" or "iptables")
 '''
 
 [[rule.threat]]
@@ -106,4 +107,4 @@ value = ["process.executable", "file.path"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-7d"
+value = "now-14d"
diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/20"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
@@ -20,15 +20,18 @@ index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Code Execution via Postgresql"
-risk_score = 73
+risk_score = 47
 rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e"
-severity = "high"
+severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
 type = "eql"
 
 query = '''
 process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and 
-event.type == "start" and user.name == "postgres" and (process.parent.args : "*sh" or process.args : "*sh")
+event.type == "start" and user.name == "postgres" and (
+  (process.parent.args : "*sh" and process.parent.args : "echo*") or 
+  (process.args : "*sh" and process.args : "echo*")
+) and not process.parent.name : "puppet"
 '''
 
 [[rule.threat]]

diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/15"
+updated_date = "2023/08/02"
 
 [rule]
 author = ["Elastic"]
@@ -19,9 +19,9 @@ index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious File Changes Activity Detected"
-risk_score = 73
+risk_score = 47
 rule_id = "28738f9f-7427-4d23-bc69-756708b5f624"
-severity = "high"
+severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"]
 type = "eql"
 query = '''
@@ -36,20 +36,20 @@ sequence by host.id, process.entity_id with maxspan=1s
       "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old"
       ) and not 
     process.name : (
-      "dpkg",  "yum", "dnf", "rpm", "dockerd"
+      "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", 
+      "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy"
     ) ] with runs=100 | tail 1
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1486"
 name = "Data Encrypted for Impact"
 reference = "https://attack.mitre.org/techniques/T1486/"
 
-
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
-reference = "https://attack.mitre.org/tactics/TA0040/"
+reference = "https://attack.mitre.org/tactics/TA0040/"