diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml index eaabb41bc46..7a20535cd5f 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/04/26" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -41,8 +41,8 @@ process where container.id: "*" and event.type== "start" and /*D4C consolidates closely spawned event.actions, this excludes end actions to only capture ongoing processes*/ -event.action in ("fork", "exec") and event.action != "end" - and process.entry_leader.same_as_process== false and +event.action in ("fork", "exec") and + process.entry_leader.same_as_process== false and ( (process.executable: "*/*sh" and process.args: ("-i", "-it")) or process.args: "*/*sh" diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml index 900790cf042..0d38bc0944f 100644 --- a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml @@ -2,7 +2,7 @@ creation_date = "2023/05/12" integration = ["cloud_defend"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -45,7 +45,7 @@ type = "eql" query = ''' process where container.id: "*" and event.type== "start" and -event.action in ("fork", "exec") and event.action != "end" and +event.action in ("fork", "exec") and process.name: ("sshd", "ssh", "autossh") ''' note = """## Triage and analysis diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 154708e80c4..ddd276f3160 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" min_stack_version = "8.13.0" min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -updated_date = "2025/02/04" +updated_date = "2025/02/07" [rule] author = ["Elastic"] @@ -66,7 +66,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and +process where host.os.type == "linux" and event.type == "start" and process.executable == "/usr/sbin/tc" and process.args == "filter" and process.args == "add" and process.args == "bpf" and not process.parent.executable == "/usr/sbin/libvirtd" ''' diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 14e1b37d267..ac916d6d0a7 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/04" +updated_date = "2025/02/07" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=30s [process where host.os.type == "macos" and event.type == "start" and process.name == "osascript"] - [network where host.os.type == "macos" and event.type != "end" and process.name == "osascript" and destination.ip != "::1" and + [network where host.os.type == "macos" and event.type == "start" and process.name == "osascript" and destination.ip != "::1" and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24",