vim shell evasion threat (#1865)

* vim shell evasion threat

* Update rules/linux/execution_vi_binary.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_vi_binary.toml

* Update rules/linux/execution_vi_binary.toml

* Update rules/linux/execution_vi_binary.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 152477904f)

rules/linux/execution_vi_binary.toml

@@ -1,14 +1,15 @@
 [metadata]
 creation_date = "2022/03/03"
 maturity = "production"
-updated_date = "2022/03/17"
+updated_date = "2022/03/22"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell.
-This activity is not standard use with this binary for a user or system administrator and could potentially indicate
-malicious actor attempting to improve the capabilities or stability of their access."
+The vi/vim is the standard text editor in Linux distribution and the activity of spawning a shell is not a standard use
+of this binary by a user or system administrator and could potentially indicate malicious actor attempting to improve
+the capabilities or stability of their access."
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
@@ -24,9 +25,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-sequence by host.id,process.pid with maxspan=1m
-[process where process.name == "vi" and process.args : "-c" and process.args : (":!/bin/bash", ":!/bin/sh", ":!bash", ":!sh")]
-[process where process.parent.name == "vi" and process.name : ("bash", "sh")]
+process where event.type == "start" and process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args in (":!/bin/bash", ":!/bin/sh", ":!bash", ":!sh") and process.name in ("bash", "sh")
 '''