[Rule Tuning] Standardizing Risk Score according to Severity (#2242)

rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/05/16"
 maturity = "production"
-updated_date = "2022/07/26"
+updated_date = "2022/08/17"
 
 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ references = [
     "https://twitter.com/GossiTheDog/status/1522964028284411907",
     "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
 ]
-risk_score = 43
+risk_score = 47
 rule_id = "eb6a3790-d52d-11ec-8ce9-f661ea17fbce"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control"]

rules/linux/execution_abnormal_process_id_file_created.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/05/11"
 maturity = "production"
-updated_date = "2022/05/12"
+updated_date = "2022/08/17"
 
 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ references = [
     "https://twitter.com/GossiTheDog/status/1522964028284411907",
     "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
 ]
-risk_score = 43
+risk_score = 47
 rule_id = "cac91072-d165-11ec-a764-f661ea17fbce"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor"]

rules/linux/persistence_chkconfig_service_add.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/07/22"
 maturity = "production"
-updated_date = "2022/07/22"
+updated_date = "2022/08/17"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ name = "Chkconfig Service Add"
 references = [
     "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"
 ]
-risk_score = 74
+risk_score = 47
 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Lightning Framework"]

rules/linux/persistence_dynamic_linker_backup.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/07/12"
 maturity = "production"
-updated_date = "2022/07/12"
+updated_date = "2022/08/17"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ name = "Dynamic Linker Copy"
 references = [
     "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"
 ]
-risk_score = 85
+risk_score = 73
 rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit"]

rules/linux/persistence_etc_file_creation.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/07/22"
 maturity = "production"
-updated_date = "2022/07/22"
+updated_date = "2022/08/17"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ references = [
     "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/",
     "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"
 ]
-risk_score = 80
+risk_score = 47
 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit", "Lightning Framework"]

rules/linux/persistence_insmod_kernel_module_load.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/07/11"
 maturity = "production"
-updated_date = "2022/07/11"
+updated_date = "2022/08/17"
 
 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ name = "Kernel module load via insmod"
 references = [
     "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"
 ]
-risk_score = 85
+risk_score = 47
 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Rootkit"]