Linux Shell Evasion Rule Tuning (#1878)

* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

rules/integrations/azure/execution_command_virtual_machine.toml

@@ -0,0 +1,60 @@
+[metadata]
+creation_date = "2020/08/17"
+maturity = "production"
+updated_date = "2021/07/20"
+integration = "azure"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage
+virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However,
+commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles
+may be able to execute commands on a VM as well.
+"""
+false_positives = [
+    """
+    Command execution on a virtual machine may be done by a system or network administrator. Verify whether the
+    username, hostname, and/or resource name should be making changes in your environment. Command execution from
+    unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
+    from the rule.
+    """,
+]
+from = "now-25m"
+index = ["filebeat-*", "logs-azure*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Azure Command Execution on Virtual Machine"
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://adsecurity.org/?p=4277",
+    "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a",
+    "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor",
+]
+risk_score = 47
+rule_id = "60884af6-f553-4a6c-af13-300047455491"
+severity = "medium"
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+