[Rule Tuning] Linux DR Tuning - Part 2 (#4417)

2025-01-29 10:34:13 +01:00
parent 4e95bc7891
commit 52d33c12b8
13 changed files with 41 additions and 27 deletions
@@ -2,7 +2,7 @@
 creation_date = "2024/08/08"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"

 [rule]
 author = ["Elastic"]
@@ -76,7 +76,10 @@ not (
    "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", "/opt/dynatrace/oneagent/*"
  ) or
  process.executable == null or
-  process.name == "java" or
+  process.name in (
+    "java", "executor", "ssm-agent-worker", "packagekitd", "crio", "dockerd-entrypoint.sh",
+    "docker-init", "BootTimeChecker"
+  ) or
  (process.name == "sed" and file.name : "sed*") or
  (process.name == "perl" and file.name : "e2scrub_all.tmp*")
 )
@@ -2,7 +2,7 @@
 creation_date = "2020/04/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"

 [rule]
 author = ["Elastic"]
@@ -75,7 +75,9 @@ type = "new_terms"
 query = '''
 host.os.type:linux and event.category:process and event.type:start and
 process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and
-not process.parent.name:(apt-key or update-motd-updates-available or apt-get)
+not process.parent.name:(
+  apt-key or update-motd-updates-available or apt-get or java or pilot or PassengerAgent or nginx
+)
 '''
 note = """## Triage and analysis

@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"

 [rule]
 author = ["Elastic"]
@@ -72,8 +72,9 @@ process.name == "mkdir" and process.parent.executable like (
 ) and process.args like (".*", "/*/.*") and process.args_count <= 3 and not (
  process.parent.executable like ("/tmp/newroot/*", "/run/containerd/*") or
  process.command_line like ("mkdir -p .", "mkdir ./*") or
+  process.args == "/root/.ssh" or
  process.parent.executable like (
-    "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img"
+    "/tmp/pear/temp/*", "/var/tmp/buildah*", "/tmp/python-build.*", "/tmp/cliphist-wofi-img", "/tmp/snap.rootfs_*"
  )
 )
 '''
@@ -2,7 +2,7 @@
 creation_date = "2020/04/29"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"

 [rule]
 author = ["Elastic"]
@@ -82,7 +82,7 @@ process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
 process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
 not process.name in (
  "ls", "find", "grep", "git", "jq", "basename", "check_snmp", "snmpget", "snmpwalk", "cc1plus", "snap",
-  "command-not-found"
+  "command-not-found", "sqlite", "apk", "fgrep", "locate", "objdump"
 )
 '''
 note = """## Triage and analysis
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"

 [rule]
 author = ["Elastic"]
@@ -77,7 +77,7 @@ type = "eql"

 query = '''
 file where host.os.type == "linux" and event.type == "creation" and file.extension == "so" and file.name : ".*.so" and
-not process.name == "dockerd"
+not process.name in ("dockerd", "azcopy", "podman")
 '''
 note = """## Triage and analysis

@@ -2,7 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"

 [rule]
 author = ["Elastic"]
@@ -67,6 +67,8 @@ event.category:process and host.os.type:linux and event.type:start and event.act
  ) or
  process.args:(/etc/apt/trusted.gpg.d/* or /tmp/apt-key-gpg*) or
  process.name:(awk or apt-config or dpkg or grep or gpgv or sed) or
+  (user.name:_apt and process.name:(sqv or apt-key or gpgconf or sort or mktemp or find or cmp or gpg-connect-agent)) or
+  (user.name:man and process.name:mandb) or
  (user.name:daemon and process.name:at)
 )
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"

 [rule]
 author = ["Elastic"]
@@ -65,7 +65,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action
 process.name in ("update-ca-trust", "update-ca-certificates") and not (
  process.parent.name like (
    "ca-certificates.postinst", "ca-certificates-*.trigger", "pacman", "pamac-daemon", "autofirma.postinst",
-    "ipa-client-install", "su", "platform-python", "python*", "kesl", "execd"
+    "ipa-client-install", "su", "platform-python", "python*", "kesl", "execd", "systemd", "flock"
  ) or
  process.parent.args like "/var/tmp/rpm*" or
  (process.parent.name in ("sh", "bash", "zsh") and process.args == "-e")
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.16.2 for the SentinelOne Integration."
 min_stack_version = "8.16.2"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"

 [rule]
 author = ["Elastic"]
@@ -61,7 +61,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event")
-and file.path : "/etc/selinux/config"
+and file.path : "/etc/selinux/config" and not process.name in ("dockerd", "platform-python")
 '''
 note = """## Triage and analysis

@@ -2,7 +2,7 @@
 creation_date = "2020/04/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"

 [rule]
 author = ["Elastic"]
@@ -72,8 +72,9 @@ not (
  process.parent.name:(
    mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools or readykernel or lvm2 or
    vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or weak-modules or zfs or
-    systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install
-  )
+    systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install or newrelic-infra
+  ) or
+  process.parent.executable:/var/lib/dpkg/info/linux-modules*-generic.post*
 )
 '''
 note = """## Triage and analysis
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"

 [rule]
 author = ["Elastic"]
@@ -66,11 +66,12 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
-  event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
+  event.action in ("exec", "exec_event", "start", "ProcessRollup2") and process.parent.name != null and
  (
    (process.name in ("dpkg", "dpkg-query") and process.args == "libpam-modules") or
    (process.name == "rpm" and process.args == "pam")
-  )
+  ) and
+not process.parent.name in ("dcservice", "inspectorssmplugin")
 '''
 note = """## Triage and analysis

@@ -2,7 +2,7 @@
 creation_date = "2023/07/20"
 integration = ["auditd_manager"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"

 [rule]
 author = ["Elastic"]
@@ -58,7 +58,7 @@ query = '''
 sequence by process.pid, host.id with maxspan=5s
  [file where host.os.type == "linux" and auditd.data.syscall == "openat" and file.path == "/proc" and
   auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and auditd.data.a2 : ("80000", "88000") and
-   not process.name == "agentbeat"
+   not process.name in ("agentbeat", "packetbeat")
  ] with runs=10
 '''
 note = """## Triage and analysis
@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"

 [rule]
 author = ["Elastic"]
@@ -68,7 +68,8 @@ process where host.os.type == "linux" and event.type == "start" and
    "/home/*/.aws/credentials", "/home/*/.aws/config", "/home/*/.config/gcloud/*credentials.json",
    "/home/*/.config/gcloud/configurations/config_default", "/home/*/.azure/accessTokens.json",
    "/home/*/.azure/azureProfile.json"
-  )
+  ) and 
+not process.parent.name in ("wazuh-modulesd", "lynis")
 '''
 note = """## Triage and analysis

@@ -2,7 +2,7 @@
 creation_date = "2023/08/29"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"

 [rule]
 author = ["Elastic"]
@@ -58,7 +58,10 @@ query = '''
 sequence by host.id, process.parent.entity_id with maxspan=1s
  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
   process.name == "id" and process.args_count == 2 and
-   not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20
+   not (
+     process.parent.name in ("rpm", "snarftmp", "quota_copy", "java") or
+     process.parent.args : "/var/tmp/rpm-tmp*"
+    )] with runs=20
 '''
 note = """## Triage and analysis