Populate rules/ directory.

Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com>
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com>
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>

rules/linux/linux_process_started_in_temp_directory.toml

@@ -0,0 +1,29 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware."
+false_positives = [
+    """
+    Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by
+    username.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Unusual Process Execution - Temp"
+risk_score = 47
+rule_id = "df959768-b0c9-4d45-988c-5606a2be8e5a"
+severity = "medium"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.working_directory:/tmp and event.action:executed
+'''
+