[Rule Tuning] Linux DR Tuning - Part 2 (#4417)

elastic · Jan 29, 2025 · 52d33c1 · 52d33c1
1 parent 4e95bc7
commit 52d33c1
Show file tree

Hide file tree

Showing 13 changed files with 41 additions and 27 deletions.
diff --git a/rules/linux/defense_evasion_dynamic_linker_file_creation.toml b/rules/linux/defense_evasion_dynamic_linker_file_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/08/08"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -76,7 +76,10 @@ not (
     "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", "/opt/dynatrace/oneagent/*"
   ) or
   process.executable == null or
-  process.name == "java" or
+  process.name in (
+    "java", "executor", "ssm-agent-worker", "packagekitd", "crio", "dockerd-entrypoint.sh",
+    "docker-init", "BootTimeChecker"
+  ) or
   (process.name == "sed" and file.name : "sed*") or
   (process.name == "perl" and file.name : "e2scrub_all.tmp*")
 )

diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/04/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -75,7 +75,9 @@ type = "new_terms"
 query = '''
 host.os.type:linux and event.category:process and event.type:start and
 process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and
-not process.parent.name:(apt-key or update-motd-updates-available or apt-get)
+not process.parent.name:(
+  apt-key or update-motd-updates-available or apt-get or java or pilot or PassengerAgent or nginx
+)
 '''
 note = """## Triage and analysis
 

diff --git a/rules/linux/defense_evasion_hidden_directory_creation.toml b/rules/linux/defense_evasion_hidden_directory_creation.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -72,8 +72,9 @@ process.name == "mkdir" and process.parent.executable like (
 ) and process.args like (".*", "/*/.*") and process.args_count <= 3 and not (
   process.parent.executable like ("/tmp/newroot/*", "/run/containerd/*") or
   process.command_line like ("mkdir -p .", "mkdir ./*") or
+  process.args == "/root/.ssh" or
   process.parent.executable like (
-    "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img"
+    "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img", "/tmp/snap.rootfs_*"
   )
 )
 '''

diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/04/29"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -82,7 +82,7 @@ process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
 process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
 not process.name in (
   "ls", "find", "grep", "git", "jq", "basename", "check_snmp", "snmpget", "snmpwalk", "cc1plus", "snap",
-  "command-not-found"
+  "command-not-found", "sqlite", "apk", "fgrep", "locate", "objdump"
 )
 '''
 note = """## Triage and analysis

diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -77,7 +77,7 @@ type = "eql"
 
 query = '''
 file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and
-not process.name == "dockerd"
+not process.name in ("dockerd", "azcopy", "podman")
 '''
 note = """## Triage and analysis
 

diff --git a/rules/linux/defense_evasion_interactive_shell_from_system_user.toml b/rules/linux/defense_evasion_interactive_shell_from_system_user.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -67,6 +67,8 @@ event.category:process and host.os.type:linux and event.type:start and event.act
   ) or
   process.args:(/etc/apt/trusted.gpg.d/* or /tmp/apt-key-gpg*) or
   process.name:(awk or apt-config or dpkg or grep or gpgv or sed) or
+  (user.name:_apt and process.name:(sqv or apt-key or gpgconf or sort or mktemp or find or cmp or gpg-connect-agent)) or
+  (user.name:man and process.name:mandb) or
   (user.name:daemon and process.name:at)
 )
 '''

diff --git a/rules/linux/defense_evasion_root_certificate_installation.toml b/rules/linux/defense_evasion_root_certificate_installation.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -65,7 +65,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action
 process.name in ("update-ca-trust", "update-ca-certificates") and not (
   process.parent.name like (
     "ca-certificates.postinst", "ca-certificates-*.trigger", "pacman", "pamac-daemon", "autofirma.postinst",
-    "ipa-client-install", "su", "platform-python", "python*", "kesl", "execd"
+    "ipa-client-install", "su", "platform-python", "python*", "kesl", "execd", "systemd", "flock"
   ) or
   process.parent.args like "/var/tmp/rpm*" or
   (process.parent.name in ("sh", "bash", "zsh") and process.args == "-e")

diff --git a/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml b/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.16.2 for the SentinelOne Integration."
 min_stack_version = "8.16.2"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -61,7 +61,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event")
-and file.path : "/etc/selinux/config"
+and file.path : "/etc/selinux/config" and not process.name in ("dockerd", "platform-python")
 '''
 note = """## Triage and analysis
 

diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -72,8 +72,9 @@ not (
   process.parent.name:(
     mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools or readykernel or lvm2 or
     vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or weak-modules or zfs or
-    systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install
-  )
+    systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install or newrelic-infra
+  ) or
+  process.parent.executable:/var/lib/dpkg/info/linux-modules*-generic.post*
 )
 '''
 note = """## Triage and analysis

diff --git a/rules/linux/discovery_pam_version_discovery.toml b/rules/linux/discovery_pam_version_discovery.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -66,11 +66,12 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
-  event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
+  event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.name != null and
   (
     (process.name in ("dpkg", "dpkg-query") and process.args == "libpam-modules") or
     (process.name == "rpm" and process.args == "pam")
-  )
+  ) and
+not process.parent.name in ("dcservice", "inspectorssmplugin")
 '''
 note = """## Triage and analysis
 

diff --git a/rules/linux/discovery_pspy_process_monitoring_detected.toml b/rules/linux/discovery_pspy_process_monitoring_detected.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/07/20"
 integration = ["auditd_manager"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -58,7 +58,7 @@ query = '''
 sequence by process.pid, host.id with maxspan=5s
   [file where host.os.type == "linux" and auditd.data.syscall == "openat" and file.path == "/proc" and
    auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and auditd.data.a2 : ("80000", "88000") and
-   not process.name == "agentbeat"
+   not process.name in ("agentbeat", "packetbeat")
   ] with runs=10
 '''
 note = """## Triage and analysis

diff --git a/rules/linux/discovery_security_file_access_via_common_utility.toml b/rules/linux/discovery_security_file_access_via_common_utility.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -68,7 +68,8 @@ process where host.os.type == "linux" and event.type == "start" and
     "/home/*/.aws/credentials", "/home/*/.aws/config", "/home/*/.config/gcloud/*credentials.json",
     "/home/*/.config/gcloud/configurations/config_default", "/home/*/.azure/accessTokens.json",
     "/home/*/.azure/azureProfile.json"
-  )
+  ) and 
+not process.parent.name in ("wazuh-modulesd", "lynis")
 '''
 note = """## Triage and analysis
 

diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/08/29"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -58,7 +58,10 @@ query = '''
 sequence by host.id, process.parent.entity_id with maxspan=1s
   [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
    process.name == "id" and process.args_count == 2 and
-   not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20
+   not (
+     process.parent.name in ("rpm", "snarftmp", "quota_copy", "java") or
+     process.parent.args : "/var/tmp/rpm-tmp*"
+    )] with runs=20
 '''
 note = """## Triage and analysis