Prep for Release 9.0 (#4550)

rules/linux/persistence_web_server_sus_command_execution.toml

@@ -2,20 +2,17 @@
 creation_date = "2025/03/04"
 integration = ["endpoint"]
 maturity = "production"
-min_stack_comments = "ES|QL rule type in technical preview as of 8.13"
-min_stack_version = "8.13.0"
-updated_date = "2025/03/04"
+updated_date = "2025/03/20"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule detects potential command execution from a web server parent process on a Linux host. Adversaries may
-attempt to execute commands from a web server parent process to blend in with normal web server activity and
-evade detection. This behavior is commonly observed in web shell attacks where adversaries exploit web server
-vulnerabilities to execute arbitrary commands on the host. The detection rule identifies unusual command
-execution from web server parent processes, which may indicate a compromised host or an ongoing attack.
-ES|QL rules have limited fields available in its alert documents. Make sure to review the original documents
-to aid in the investigation of this alert.
+This rule detects potential command execution from a web server parent process on a Linux host. Adversaries may attempt
+to execute commands from a web server parent process to blend in with normal web server activity and evade detection.
+This behavior is commonly observed in web shell attacks where adversaries exploit web server vulnerabilities to execute
+arbitrary commands on the host. The detection rule identifies unusual command execution from web server parent
+processes, which may indicate a compromised host or an ongoing attack. ES|QL rules have limited fields available in its
+alert documents. Make sure to review the original documents to aid in the investigation of this alert.
 """
 from = "now-61m"
 interval = "1h"
@@ -61,6 +58,7 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "esql"
+
 query = '''
 from logs-endpoint.events.process-*
 | keep @timestamp, host.os.type, event.type, event.action, process.parent.name, user.name, user.id, process.working_directory, process.name, process.command_line, process.parent.executable, agent.id
@@ -95,51 +93,51 @@ from logs-endpoint.events.process-*
 | limit 100
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
-[rule.threat.tactic]
-name = "Persistence"
-id = "TA0003"
-reference = "https://attack.mitre.org/tactics/TA0003/"
-
 [[rule.threat.technique]]
 id = "T1505"
 name = "Server Software Component"
 reference = "https://attack.mitre.org/techniques/T1505/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1505.003"
 name = "Web Shell"
 reference = "https://attack.mitre.org/techniques/T1505/003/"
 
-[[rule.threat]]
-framework = "MITRE ATT&CK"
+
 
 [rule.threat.tactic]
-name = "Execution"
-id = "TA0002"
-reference = "https://attack.mitre.org/tactics/TA0002/"
-
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"
 
-[[rule.threat]]
-framework = "MITRE ATT&CK"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+
 
 [rule.threat.tactic]
-name = "Command and Control"
 id = "TA0011"
+name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
 
-[[rule.threat.technique]]
-name = "Application Layer Protocol"
-id = "T1071"
-reference = "https://attack.mitre.org/techniques/T1071/"