[Rule Tuning] Linux DR Tuning - 1 (#5122)

* [Rule Tuning] Linux DR Tuning - 1

* Added integrations

* Update command_and_control_git_repo_or_file_download_to_sus_dir.toml

* Update collection_linux_clipboard_activity.toml

* Update collection_linux_clipboard_activity.toml

* Update rules/linux/command_and_control_aws_cli_endpoint_url_used.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update collection_linux_clipboard_activity.toml

* Update rules/linux/command_and_control_aws_cli_endpoint_url_used.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

rules/linux/collection_linux_clipboard_activity.toml

@@ -1,18 +1,23 @@
 [metadata]
 creation_date = "2023/07/27"
-integration = ["endpoint", "auditd_manager"]
+integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group
-leader. Adversaries may collect data stored in the clipboard from users copying information within or between
-applications.
+This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process parent.
+Adversaries may collect data stored in the clipboard from users copying information within or between applications.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
+index = [
+          "logs-endpoint.events.process*",
+          "logs-sentinel_one_cloud_funnel.*",
+          "endgame-*",
+          "auditbeat-*",
+          "logs-auditd_manager.auditd-*",
+        ]
 language = "kuery"
 license = "Elastic License v2"
 name = "Linux Clipboard Activity Detected"
@@ -27,13 +32,14 @@ tags = [
     "Data Source: Elastic Defend",
     "Data Source: Elastic Endgame",
     "Data Source: Auditd Manager",
+    "Data Source: SentinelOne",
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
 event.category:process and host.os.type:"linux" and event.type:"start" and
-event.action:("exec" or "exec_event" or "executed" or "process_started") and
+event.action:("exec" or "exec_event" or "executed" or "process_started" or "start") and
 process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq") and
 not process.parent.name:("bwrap" or "micro")
 '''
@@ -88,8 +94,8 @@ reference = "https://attack.mitre.org/tactics/TA0009/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "process.group_leader.executable"]
+value = ["agent.id", "process.parent.executable"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-7d"
+value = "now-5d"

rules/linux/command_and_control_aws_cli_endpoint_url_used.toml

@@ -1,16 +1,27 @@
 [metadata]
 creation_date = "2024/08/21"
-integration = ["endpoint", "crowdstrike"]
+integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/09/16"
 
 [rule]
 author = ["Elastic"]
 description = """
-Detects the use of the AWS CLI with the `--endpoint-url` argument, which allows users to specify a custom endpoint URL for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints, potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise of legitimate AWS operations.
+Detects the use of the AWS CLI with the "--endpoint-url" argument, which allows users to specify a custom endpoint URL
+for AWS services. This can be leveraged by adversaries to redirect API requests to non-standard or malicious endpoints,
+potentially bypassing typical security controls and logging mechanisms. This behavior may indicate an attempt to interact
+with unauthorized or compromised infrastructure, exfiltrate data, or perform other malicious activities under the guise
+of legitimate AWS operations.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.process-*", "logs-crowdstrike.fdr*"]
+index = [
+          "logs-crowdstrike.fdr*",
+          "logs-endpoint.events.process*",
+          "logs-sentinel_one_cloud_funnel.*",
+          "endgame-*",
+          "auditbeat-*",
+          "logs-auditd_manager.auditd-*",
+        ]
 language = "kuery"
 license = "Elastic License v2"
 name = "AWS CLI Command with Custom Endpoint URL"
@@ -21,18 +32,23 @@ risk_score = 47
 rule_id = "349276c0-5fcf-11ef-b1a9-f661ea17fbce"
 severity = "medium"
 tags = [
-  "Data Source: Elastic Defend",
-  "Domain: Endpoint",
-  "OS: Linux",
-  "Use Case: Threat Detection",
-  "Tactic: Command and Control",
-  "Resources: Investigation Guide",
-  "Data Source: Crowdstrike",
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Defend",
+    "Data Source: Elastic Endgame",
+    "Data Source: Auditd Manager",
+    "Data Source: Crowdstrike",
+    "Data Source: SentinelOne",
 ]
 type = "new_terms"
 timestamp_override = "event.ingested"
 query = '''
-host.os.type: "linux" and event.category: "process" and process.name: "aws" and process.args:  "--endpoint-url"
+host.os.type:"linux" and event.category:"process" and
+event.action:("exec" or "exec_event" or "executed" or "process_started" or "ProcessRollup2") and
+process.name:"aws" and process.args:"--endpoint-url"
 '''
 note = """## Triage and analysis
 
@@ -72,21 +88,21 @@ The AWS CLI allows users to interact with AWS services via command-line, offerin
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1102"
 name = "Web Service"
 reference = "https://attack.mitre.org/techniques/T1102/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
 
-
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["user.name"]
+value = ["host.id"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-10d"
+value = "now-3d"

rules/linux/command_and_control_cat_network_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/09/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/09/16"
 
 [transform]
 [[transform.osquery]]
@@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
 label = "Osquery - Retrieve Process Info"
 query = "SELECT name, cmdline, parent, path, uid FROM processes"
 
-
 [rule]
 author = ["Elastic"]
 description = """
@@ -138,23 +137,22 @@ tags = [
     "Resources: Investigation Guide",
 ]
 type = "eql"
-
 query = '''
-sequence by host.id, process.entity_id with maxspan=1s
+sequence by host.id, process.entity_id with maxspan=3s
   [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
    process.name == "cat" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
   [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and
-   process.name == "cat" and not (destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
-     destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
-     "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
-     "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
-     "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
-     "FF00::/8"
+   process.name == "cat" and not (
+     destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
+       destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
+       "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+       "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
+       "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
+       "FF00::/8"
      )
    )]
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
@@ -162,6 +160,7 @@ framework = "MITRE ATT&CK"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
@@ -169,6 +168,7 @@ framework = "MITRE ATT&CK"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
@@ -176,4 +176,3 @@ framework = "MITRE ATT&CK"
 id = "TA0010"
 name = "Exfiltration"
 reference = "https://attack.mitre.org/tactics/TA0010/"
-

rules/linux/command_and_control_curl_socks_proxy_detected.toml

@@ -2,13 +2,13 @@
 creation_date = "2024/11/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/09/16"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule detects the use of the `curl` command-line tool with SOCKS proxy options, launched from an unusual parent
-process. Attackers may use `curl` to establish a SOCKS proxy connection to bypass network restrictions and exfiltrate
+This rule detects the use of the "curl" command-line tool with SOCKS proxy options, launched from an unusual parent
+process. Attackers may use "curl" to establish a SOCKS proxy connection to bypass network restrictions and exfiltrate
 data or communicate with C2 servers.
 """
 from = "now-9m"
@@ -16,7 +16,7 @@ index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Curl SOCKS Proxy Activity from Unusual Parent"
-risk_score = 21
+risk_score = 47
 rule_id = "734239fe-eda8-48c0-bca8-9e3dafd81a88"
 setup = """## Setup
 
@@ -56,7 +56,7 @@ In order to capture this behavior, this rule requires a specific configuration o
 After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.
 For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",
@@ -71,13 +71,18 @@ query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 process.name == "curl" and (
   process.parent.executable like (
-    "/dev/shm/*", "/tmp/*", "/var/tmp/*", "/var/run/*", "/root/*", "/boot/*", "/var/www/html/*", "/opt/.*"
+    "/dev/shm/*", "/tmp/*", "/var/tmp/*", "/var/run/*", "/root/*", "/boot/*", "/var/www/*", "/opt/.*",
+    "/home/*"
   ) or
-  process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
+  process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or
+  process.parent.name like ".*"
 ) and (
   process.args like ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or
   process.args == "-x" or
-  process.env_vars like ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*")
+  process.env_vars like~ ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*")
+) and not (
+  process.parent.args == "/opt/rudder/share/commands/agent-run" or
+  process.args == "http://localhost:8080/rudder/api/status"
 )
 '''
 note = """## Triage and analysis

rules/linux/command_and_control_git_repo_or_file_download_to_sus_dir.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/25"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/07/07"
+updated_date = "2025/09/16"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ the creation of files in suspicious directories such as /tmp, /var/tmp, or /dev/
 attempt to download a payload, exploit or tool.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.process*", "logs-endpoint.events.file*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Git Repository or File Download to Suspicious Directory"
@@ -106,6 +106,9 @@ sequence by process.entity_id, host.id with maxspan=10s
   [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
      (process.name == "git" and process.args == "clone") or
      (process.name in ("wget", "curl") and process.command_line like~ "*github*")
+  ) and not (
+    process.parent.name in ("git", "cmake") or
+     process.parent.args like "/root/.ansible/tmp/ansible*"
   )]
   [file where host.os.type == "linux" and event.type == "creation" and file.path like ("/tmp/*", "/var/tmp/*", "/dev/shm/*")]
 '''