[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 9 (#4356)
This commit is contained in:
Jonhnathan
@@ -1,8 +1,10 @@
|
||||
[metadata]
|
||||
creation_date = "2024/06/26"
|
||||
integration = ["endpoint"]
|
||||
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/09/23"
|
||||
min_stack_version = "8.13.0"
|
||||
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
|
||||
updated_date = "2025/01/08"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -13,7 +15,7 @@ spawned by the Git process itself. This behavior may indicate an attacker attemp
|
||||
leveraging the legitimate Git process to execute unauthorized commands.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Git Hook Child Process"
|
||||
@@ -57,24 +59,31 @@ tags = [
|
||||
"Tactic: Execution",
|
||||
"Tactic: Defense Evasion",
|
||||
"Data Source: Elastic Defend",
|
||||
"Data Source: Crowdstrike",
|
||||
"Data Source: SentinelOne",
|
||||
"Data Source: Elastic Endgame",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name in (
|
||||
"applypatch-msg", "commit-msg", "fsmonitor-watchman", "post-update", "post-checkout", "post-commit",
|
||||
"pre-applypatch", "pre-commit", "pre-merge-commit", "prepare-commit-msg", "pre-push", "pre-rebase", "pre-receive",
|
||||
"push-to-checkout", "update", "post-receive", "pre-auto-gc", "post-rewrite", "sendemail-validate", "p4-pre-submit",
|
||||
"post-index-change", "post-merge", "post-applypatch"
|
||||
) and (
|
||||
process.name in ("nohup", "setsid", "disown", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or
|
||||
process.name : ("php*", "perl*", "ruby*", "lua*") or
|
||||
process.executable : (
|
||||
"/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/etc/update-motd.d/*",
|
||||
"/run/*", "/srv/*", "/tmp/*", "/var/tmp/*", "/var/log/*"
|
||||
)
|
||||
) and not process.name in ("git", "dirname")
|
||||
process where host.os.type == "linux" and event.type == "start" and
|
||||
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
|
||||
process.parent.name in (
|
||||
"applypatch-msg", "commit-msg", "fsmonitor-watchman", "post-update", "post-checkout", "post-commit",
|
||||
"pre-applypatch", "pre-commit", "pre-merge-commit", "prepare-commit-msg", "pre-push", "pre-rebase", "pre-receive",
|
||||
"push-to-checkout", "update", "post-receive", "pre-auto-gc", "post-rewrite", "sendemail-validate", "p4-pre-submit",
|
||||
"post-index-change", "post-merge", "post-applypatch"
|
||||
) and
|
||||
(
|
||||
process.name in ("nohup", "setsid", "disown", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") or
|
||||
process.name : ("php*", "perl*", "ruby*", "lua*") or
|
||||
process.executable : (
|
||||
"/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/etc/update-motd.d/*",
|
||||
"/run/*", "/srv/*", "/tmp/*", "/var/tmp/*", "/var/log/*"
|
||||
)
|
||||
) and
|
||||
not process.name in ("git", "dirname")
|
||||
'''
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user