From 3247e1565b2cbe8b8d6db8a729f5afb4930f762f Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 19 Dec 2023 20:17:53 +0100 Subject: [PATCH] [Rule Tuning] Linux BBR Tuning (#3347) * [Rule Tuning] Linux BBR Tuning * Update persistence_creation_of_kernel_module.toml (cherry picked from commit b32733601a17514be9facdf1f7f0c9bfa244c0b1) --- .../discovery_linux_modprobe_enumeration.toml | 5 +++-- .../discovery_linux_sysctl_enumeration.toml | 5 +++-- .../persistence_creation_of_kernel_module.toml | 14 +++++++++++--- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index 46db52891..70cad947d 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/19" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -56,7 +56,8 @@ type = "new_terms" building_block_type = "default" query = ''' host.os.type:linux and event.category:file and event.action:"opened-file" and -file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) +file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and +not process.name:(cp or dpkg or dockerd or lynis or mkinitramfs or snapd) ''' [[rule.threat]] diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index 49c308883..7b6a27e74 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/19" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -56,7 +56,8 @@ type = "new_terms" building_block_type = "default" query = ''' host.os.type:linux and event.category:file and event.action:("opened-file" or "read-file" or "wrote-to-file") and -file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) +file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and +not process.name:(dpkg or dockerd or unattended-upg) ''' [[rule.threat]] diff --git a/rules_building_block/persistence_creation_of_kernel_module.toml b/rules_building_block/persistence_creation_of_kernel_module.toml index 64b662db0..a732daf84 100644 --- a/rules_building_block/persistence_creation_of_kernel_module.toml +++ b/rules_building_block/persistence_creation_of_kernel_module.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/23" +updated_date = "2023/12/18" [rule] author = ["Elastic"] @@ -21,12 +21,20 @@ name = "Creation of Kernel Module" risk_score = 21 rule_id = "947827c6-9ed6-4dec-903e-c856c86e72f3" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = ''' file where event.type in ("change", "creation") and host.os.type == "linux" and -file.path : "/lib/modules/*" and file.name : "*.ko" +file.path : "/lib/modules/*" and file.name : "*.ko" and +not process.name : ("dpkg", "systemd", "falcon-sensor*", "dnf", "yum", "rpm") ''' [[rule.threat]]