From f7fbfda7940dab6942a3455eeb529fa0079b294b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=96mer=20G=C3=BCnal?= <o.gunal977@gmail.com>
Date: Fri, 16 Oct 2020 20:53:00 +0300
Subject: [PATCH] Update lnx_system_info_discovery.yml

---
 rules/linux/lnx_system_info_discovery.yml | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml
index 2768bb6c4..f1afc953c 100644
--- a/rules/linux/lnx_system_info_discovery.yml
+++ b/rules/linux/lnx_system_info_discovery.yml
@@ -1,3 +1,4 @@
+action: global
 title: System Information Discovery
 id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239
 status: stable
@@ -5,9 +6,11 @@ description: Detects system information discovery commands
 author: Ömer Günal, oscd.community
 date: 2020/10/08
 references:
-    - https://attack.mitre.org/techniques/T1082/
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md
+---
 logsource:
     product: linux
+    categories: process_creation
 detection:
     selection:
         CommandLine|contains:
@@ -21,7 +24,13 @@ detection:
           - 'dmidecode'
           - 'lscpu'
           - 'lsmod'
-    selection2:
+    condition: selection
+---
+logsource:
+    product: linux
+    categories: file_event
+detection:
+    selection:
       type: 'PATH'
       name:
           - '/sys/class/dmi/id/bios_version'
@@ -29,7 +38,7 @@ detection:
           - '/sys/class/dmi/id/chassis_vendor'
           - '/proc/scsi/scsi'
           - '/proc/ide/hd0/model'
-    condition: selection or selection2
+    condition: selection
 falsepositives:
     - Legitimate administration activities
 level: low