From 2c4307f06390354a8d70ca33af118641e8442be1 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 7 Feb 2025 18:42:28 -0300 Subject: [PATCH] [Rule Tuning] Event Aggregation - Fix `event.action` & `event.type` conditions (#4445) * [Rule Tuning] Event Aggregation - Fix `event.action` & `event.type` conditions * . --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 5155f47b86a44ee8ba157edf9a802a77fba42250) --- ...n_interactive_shell_spawned_from_inside_a_container.toml | 6 +++--- ...al_movement_ssh_process_launched_inside_a_container.toml | 4 ++-- rules/linux/execution_tc_bpf_filter.toml | 4 ++-- ...ecution_scripting_osascript_exec_followed_by_netcon.toml | 4 ++-- .../windows/persistence_local_scheduled_task_creation.toml | 4 ++-- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml index eaabb41bc46..7a20535cd5f 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -41,8 +41,8 @@ process where container.id: "*" and event.type== "start" and /*D4C consolidates closely spawned event.actions, this excludes end actions to only capture ongoing processes*/ -event.action in ("fork", "exec") and event.action != "end" - and process.entry_leader.same_as_process== false and +event.action in ("fork", "exec") and + process.entry_leader.same_as_process== false and ( (process.executable: "*/*sh" and process.args: ("-i", "-it")) or process.args: "*/*sh" diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml index 900790cf042..0d38bc0944f 100644 --- a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -45,7 +45,7 @@ type = "eql" query = ''' process where container.id: "*" and event.type== "start" and -event.action in ("fork", "exec") and event.action != "end" and +event.action in ("fork", "exec") and process.name: ("sshd", "ssh", "autossh") ''' note = """## Triage and analysis diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 154708e80c4..ddd276f3160 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/02/07" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and +process where host.os.type == "linux" and event.type == "start" and process.executable == "/usr/sbin/tc" and process.args == "filter" and process.args == "add" and process.args == "bpf" and not process.parent.executable == "/usr/sbin/libvirtd" ''' diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 14e1b37d267..ac916d6d0a7 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/02/07" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=30s [process where host.os.type == "macos" and event.type == "start" and process.name == "osascript"] - [network where host.os.type == "macos" and event.type != "end" and process.name == "osascript" and destination.ip != "::1" and + [network where host.os.type == "macos" and event.type == "start" and process.name == "osascript" and destination.ip != "::1" and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 75b3674a23c..d8d21c6d8ab 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -40,7 +40,7 @@ type = "eql" query = ''' sequence with maxspan=1m - [process where host.os.type == "windows" and event.type != "end" and + [process where host.os.type == "windows" and event.type == "start" and ((process.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "WmiPrvSe.exe", "wsmprovhost.exe", "winrshost.exe") or process.pe.original_file_name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe",