Setup information for Linux Rules - Set5 (#3188)
(cherry picked from commit 2a48db0598)
This commit is contained in:
shashank-elastic
committed by
github-actions[bot]
github-actions[bot]
parent
f5552d2214
commit
7303d58415
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/06/22"
|
||||
updated_date = "2023/10/16"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -31,7 +31,35 @@ note = """## Triage and analysis
|
||||
Detection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:
|
||||
- Examine parent and child process relationships of the new process to determine if other processes are running.
|
||||
- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: "SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';"
|
||||
- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation."""
|
||||
- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.
|
||||
|
||||
## Setup
|
||||
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
references = [
|
||||
"https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/",
|
||||
"https://twitter.com/GossiTheDog/status/1522964028284411907",
|
||||
|
||||
Reference in New Issue
Block a user