[Rule Tuning] Some Tunings of several 8.9 rules

rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml → rules/_deprecated/command_and_control_connection_attempt_by_non_ssh_root_session.toml

@@ -1,10 +1,11 @@
 [metadata]
 creation_date = "2022/05/16"
+deprecation_date = "2023/07/31"
 integration = ["endpoint"]
-maturity = "production"
+maturity = "deprecated"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]

rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/06/22"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
@@ -88,15 +88,14 @@ and source.ip : (
         "FF00::/8")
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1071"
 name = "Application Layer Protocol"
 reference = "https://attack.mitre.org/techniques/T1071/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
@@ -105,8 +104,7 @@ reference = "https://attack.mitre.org/tactics/TA0011/"
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["destination.ip", "process.executable"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-2d"
-
-
+value = "now-7d"

rules/linux/discovery_kernel_module_enumeration.toml

@@ -2,9 +2,9 @@
 creation_date = "2020/04/23"
 integration = ["endpoint"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
+min_stack_version = "8.6.0"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
@@ -21,35 +21,40 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
-language = "eql"
+language = "kuery"
 license = "Elastic License v2"
 name = "Enumeration of Kernel Modules"
 risk_score = 47
 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504"
 severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
 timestamp_override = "event.ingested"
-type = "eql"
-
+type = "new_terms"
 query = '''
-process where host.os.type == "linux" and event.type == "start" and 
-((process.name == "kmod" and process.args == "list") or (process.name == "modinfo" and process.parent.user.id != "0") or 
-(process.name == "depmod" and process.args in ("--all", "-a") and process.parent.user.id != "0") 
-or process.name == "lsmod") and not process.parent.name : ("vboxmanage", "virtualbox", "prime-offload", "vboxdrv.sh") and not 
-process.group_leader.name : "qualys-cloud-agent"
+event.category:process and host.os.type:linux and event.type:start and (
+ (process.name:(lsmod or modinfo)) or 
+ (process.name:kmod and process.args:list) or 
+ (process.name:depmod and process.args:(--all or -a))
+) and not process.parent.user.id:0
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
+
 id = "T1082"
 name = "System Information Discovery"
 reference = "https://attack.mitre.org/techniques/T1082/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
 
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["process.parent.name", "host.id"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

rules/linux/discovery_kernel_module_enumeration_via_proc.toml

@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/12"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
@@ -41,29 +41,29 @@ For this detection rule to trigger, the following additional audit rules are req
 ```
 Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
 """
-risk_score = 47
+risk_score = 21
 rule_id = "80084fa9-8677-4453-8680-b891d3c0c778"
-severity = "medium"
+severity = "low"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-file where host.os.type == "linux" and event.action == "opened-file" and 
-file.path == "/proc/modules" and not process.parent.pid == 1
+file where host.os.type == "linux" and event.action == "opened-file" and file.path == "/proc/modules" and not 
+(
+  process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "SchedulerRunner", "grep") or 
+  process.parent.pid == 1 or process.title : "*grep*"
+)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1082"
 name = "System Information Discovery"
 reference = "https://attack.mitre.org/techniques/T1082/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
-

rules/linux/discovery_linux_modprobe_enumeration.toml

@@ -4,15 +4,15 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/06"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
 description = """
-Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized 
-access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or 
-unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities 
-within the system.
+Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or 
+manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized
+kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the 
+system.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
@@ -47,9 +47,12 @@ tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and
+file where host.os.type == "linux" and event.action == "opened-file" and
 file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not 
-(process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod") or process.title : ("*grep*") or process.parent.pid == 1)
+(
+  process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp") or 
+  process.title : "*grep*" or process.parent.pid == 1
+)
 '''
 
 [[rule.threat]]

rules/linux/discovery_linux_sysctl_enumeration.toml

@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/06"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
@@ -48,7 +48,8 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and
-file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and not process.name == "auditbeat"
+file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and 
+not process.name in ("auditbeat", "systemd-sysctl")
 '''
 
 [[rule.threat]]

rules/linux/discovery_suspicious_proc_enumeration.toml

@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/09"
+updated_date = "2023/07/28"
 
 [rule]
 author = ["Elastic"]
@@ -38,9 +38,9 @@ For this detection rule to trigger, the following additional audit rules are req
 
 Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
 """
-risk_score = 47
+risk_score = 21
 rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd"
-severity = "medium"
+severity = "low"
 tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
 timestamp_override = "event.ingested"
 type = "threshold"
@@ -72,4 +72,4 @@ field = ["host.id", "process.pid", "process.name"]
 value = 1
 [[rule.threshold.cardinality]]
 field = "file.path"
-value = 25
+value = 100

rules/linux/execution_abnormal_process_id_file_created.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/06/22"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
@@ -80,11 +80,12 @@ type = "new_terms"
 
 query = '''
 host.os.type : "linux" and event.category : "file" and event.action : ("creation" or "file_create_event") and
-user.id : "0" and file.path : (/var/run/* or /run/*) and file.extension : ("pid" or "lock" or "reboot") and not 
-file.name : ("auditd.pid" or "python*" or "apport.pid" or "apport.lock" or "kworker*" or "gdm3.pid" or "sshd.pid" or 
+user.id : "0" and file.extension : ("pid" or "lock" or "reboot") and file.path : (/var/run/* or /run/*) and not 
+file.name : ("auditd.pid" or python* or "apport.pid" or "apport.lock" or kworker* or "gdm3.pid" or "sshd.pid" or 
 "acpid.pid" or "unattended-upgrades.lock" or "unattended-upgrades.pid" or "cmd.pid" or "yum.pid" or "netconfig.pid" or 
 "docker.pid" or "atd.pid" or "lfd.pid" or "atop.pid" or "nginx.pid" or "dhclient.pid" or "smtpd.pid" or "stunnel.pid" or 
-"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid")
+"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid" or "winbindd.pid" or "chronyd.pid") and
+not process.name : ("runc" or "ufw" or "snapd" or "snap" or "iptables")
 '''
 
 [[rule.threat]]
@@ -106,4 +107,4 @@ value = ["process.executable", "file.path"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-7d"
+value = "now-14d"

rules/linux/execution_remote_code_execution_via_postgresql.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/20"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
@@ -20,15 +20,18 @@ index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Code Execution via Postgresql"
-risk_score = 73
+risk_score = 47
 rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e"
-severity = "high"
+severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
 type = "eql"
 
 query = '''
 process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and 
-event.type == "start" and user.name == "postgres" and (process.parent.args : "*sh" or process.args : "*sh")
+event.type == "start" and user.name == "postgres" and (
+  (process.parent.args : "*sh" and process.parent.args : "echo*") or 
+  (process.args : "*sh" and process.args : "echo*")
+) and not process.parent.name : "puppet"
 '''
 
 [[rule.threat]]

rules/linux/persistence_cron_job_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
 min_stack_version = "8.6.0"
-updated_date = "2023/06/09"
+updated_date = "2023/07/31"
 
 [rule]
 author = ["Elastic"]
@@ -31,8 +31,9 @@ type = "new_terms"
 query = '''
 host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and 
 file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or 
-/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /var/spool/cron/* or /usr/sbin/cron or /usr/sbin/anacron) 
-and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd") or file.extension : "swp")
+/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) 
+and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "5") or 
+file.extension : ("swp" or "swx"))
 '''
 
 [[rule.threat]]

rules/linux/persistence_init_d_file_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/07/20"
+updated_date = "2023/07/31"
 
 [transform]
 [[transform.osquery]]
@@ -132,8 +132,8 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
 host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and 
-file.path : /etc/init.d/* and not process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not 
-file.extension : "swp"
+file.path : /etc/init.d/* and not process.name : ("dpkg" or "dockerd" or "rpm" or "chef-client" or "apk" or "yum" or 
+"rpm" or "vmis-launcher" or "exe") and not file.extension : ("swp" or "swx")
 '''
 
 [[rule.threat]]

rules/linux/persistence_message_of_the_day_creation.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/07/20"
+updated_date = "2023/07/31"
 
 [transform]
 [[transform.osquery]]
@@ -126,7 +126,8 @@ type = "new_terms"
 query = '''
 host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and 
 file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not 
-process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not file.extension : "swp"
+process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm" or "/kaniko/executor") and not 
+file.extension : ("swp" or "swx")
 '''
 
 [[rule.threat]]

rules/linux/persistence_message_of_the_day_execution.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/20"
+updated_date = "2023/07/31"
 
 [transform]
 [[transform.osquery]]
@@ -127,7 +127,8 @@ query = '''
 process where host.os.type == "linux" and 
 event.type == "start" and event.action : ("exec", "exec_event") and
 process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and
-process.executable : ("*sh", "python*", "perl", "php*")
+process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "nc", "ncat", 
+"netcat", "socat", "lua", "java", "openssl", "ruby", "telnet", "awk")
 '''
 
 [[rule.threat]]