From 70fdd9c7d7d5acb7fd100b36735425e345683d8d Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Tue, 5 Nov 2019 04:38:27 +0300
Subject: [PATCH] Update lnx_data_compressed.yml

---
 rules/linux/auditd/lnx_data_compressed.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml
index 59e775e0c..00bd269b0 100644
--- a/rules/linux/auditd/lnx_data_compressed.yml
+++ b/rules/linux/auditd/lnx_data_compressed.yml
@@ -2,8 +2,9 @@ title: Data Compressed
 status: experimental
 description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network
 author: Timur Zinniatullin, oscd.community
+date: 2019/10/21
+modified: 2019/11/04
 references:
-    - https://attack.mitre.org/techniques/T1002/
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml
 logsource:
     product: linux
@@ -19,10 +20,10 @@ detection:
     selection3:
         type: 'execve'
         a0: 'tar'
-        a1: '-cvzf'
+        a1|contains: '-c'
     condition: 1 of them
 falsepositives:
-    - highly likely
+    - Legitimate use of archiving tools by legitimate user
 level: low
 tags:
     - attack.exfiltration