[Rule Tuning] Add endgame support for Linux Rules (#2436)

* [Rule Tuning] Add endgame support for Linux Rules * [Rule Tuning] Add endgame support for Linux Rules * . * Update persistence_insmod_kernel_module_load.toml
2023-01-23 20:53:15 -03:00
parent 7cde7901e3
commit 77c8665f11
34 changed files with 109 additions and 109 deletions
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/19"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential DNS Tunneling via Iodine"
@@ -27,7 +27,7 @@ references = ["https://code.kryo.se/iodine/"]
 risk_score = 73
 rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ system within a separate protocol to avoid detection and network filtering, or t
 systems.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Protocol Tunneling via EarthWorm"
@@ -29,7 +29,7 @@ references = [
 risk_score = 47
 rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the use of a compression utility to collect known files containing se
 and system configurations.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Sensitive Files Compression"
@@ -23,7 +23,7 @@ references = [
 risk_score = 47
 rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Collection", "Credential Access"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Collection", "Credential Access", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ enable unauthorized access or to log SSH credentials for exfiltration.
 """
 false_positives = ["Updates to approved and trusted SSH executables can trigger this rule."]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential OpenSSH Backdoor Logging Activity"
@@ -30,7 +30,7 @@ references = [
 risk_score = 73
 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Credential Access"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Credential Access", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -13,14 +13,14 @@ Adversaries may attempt to disable the syslog service in an attempt to an attemp
 detection by security controls.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Attempt to Disable Syslog Service"
 risk_score = 47
 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -16,14 +16,14 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Base16 or Base32 Encoding/Decoding Activity"
 risk_score = 21
 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795"
 severity = "low"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ opened in write mode. Threat actors will commonly utilize this to prevent tamper
 files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
@@ -27,7 +27,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -14,14 +14,14 @@ support access control policies. Adversaries may disable security tools to avoid
 activities.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Disabling of SELinux"
 risk_score = 47
 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -14,14 +14,14 @@ a network and how. Adversaries may remove these files over the course of an intr
 remove them at the end as part of the post-intrusion cleanup process.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "File Deletion via Shred"
 risk_score = 21
 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4"
 severity = "low"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ a "." as the first character in the file or folder name. Adversaries can use thi
 folders on the system for persistence and defense evasion.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
@@ -26,12 +26,12 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
 risk_score = 47
 rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where event.action : "creation" and file.extension == "so" and file.name : ".*.so"
+file where event.type : "creation" and file.extension == "so" and file.name : ".*.so"
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Kernel Module Removal"
@@ -28,7 +28,7 @@ references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"]
 risk_score = 73
 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the deletion of sensitive Linux system logs. This may indicate an att
 forensic evidence on a system.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "System Log File Deletion"
@@ -27,7 +27,7 @@ references = [
 risk_score = 47
 rule_id = "aa895aea-b69c-4411-b110-8d7599634b30"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -20,14 +20,14 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Enumeration of Kernel Modules"
 risk_score = 47
 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Hping Process Activity"
@@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/Hping"]
 risk_score = 73
 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Nping Process Activity"
@@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/Nmap"]
 risk_score = 47
 rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -20,14 +20,14 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Virtual Machine Fingerprinting"
 risk_score = 73
 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Abnormal Process ID or Lock File Created"
@@ -74,7 +74,7 @@ references = [
 risk_score = 47
 rule_id = "cac91072-d165-11ec-a764-f661ea17fbce"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Investigation Guide"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -13,14 +13,14 @@ Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a si
 interactive tty after obtaining initial access to a host.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Interactive Terminal Spawned via Perl"
 risk_score = 73
 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Process Started from Process ID (PID) File"
@@ -41,7 +41,7 @@ references = [
 risk_score = 73
 rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Binary Executed from Shared Memory Directory"
@@ -33,13 +33,13 @@ references = [
 risk_score = 73
 rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

 query = '''
 process where event.type == "start" and
-    event.action == "exec" and user.name == "root" and
+    event.action : ("exec", "exec_event") and user.name == "root" and
    process.executable : (
        "/dev/shm/*",
        "/run/shm/*",
@@ -2,9 +2,9 @@
 creation_date = "2020/04/15"
 integration = ["endpoint"]
 maturity = "production"
+updated_date = "2022/12/20"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"

 [rule]
 author = ["Elastic"]
@@ -13,14 +13,14 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a
 interactive tty after obtaining initial access to a host.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Interactive Terminal Spawned via Python"
 risk_score = 73
 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"]
 timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db"
 timeline_title = "Comprehensive Process Timeline"
 timestamp_override = "event.ingested"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Reverse Shell Created via Named Pipe"
@@ -34,7 +34,7 @@ references = [
 risk_score = 47
 rule_id = "dd7f1524-643e-11ed-9e35-f661ea17fbcd"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Investigation Guide"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"]
 type = "eql"

 query = '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -14,10 +14,10 @@ shell. The linux utility(s) activity of spawning shell is not a standard use of
 administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Linux Restricted Shell Breakout via  Linux Binary(s)"
+name = "Linux Restricted Shell Breakout via Linux Binary(s)"
 note = """## Triage and analysis

 ### Investigating Shell Evasion via Linux Utilities
@@ -97,7 +97,7 @@ references = [
 risk_score = 47
 rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -3,7 +3,7 @@ creation_date = "2022/07/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/15"
+updated_date = "2022/12/20"
 integration = ["endpoint"]

 [rule]
@@ -12,7 +12,7 @@ description = """
 Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "BPF filter applied using TC"
@@ -23,7 +23,7 @@ references = [
 risk_score = 73
 rule_id = "ef04a476-07ec-48fc-8f3d-5e1742de76d3"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "TripleCross"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "TripleCross", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -4,13 +4,13 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
 description = "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period."
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "High Number of Process Terminations"
@@ -50,7 +50,7 @@ This rule identifies a high number (10) of process terminations via pkill from t
 risk_score = 47
 rule_id = "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"]
 type = "threshold"

 query = '''
@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/15"
+updated_date = "2022/12/20"
 integration = ["endpoint"]

 [rule]
@@ -12,7 +12,7 @@ description = """
 Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Chkconfig Service Add"
@@ -22,14 +22,14 @@ references = [
 risk_score = 47
 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Lightning Framework"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Lightning Framework", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

 query = '''
 process where event.type == "start" and
-   (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or
-   (process.args : "*chkconfig" and process.args : "--add")
+   ((process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or
+   (process.args : "*chkconfig" and process.args : "--add"))
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    "Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes.",
 ]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Modification of OpenSSH Binaries"
@@ -24,7 +24,7 @@ references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusi
 risk_score = 47
 rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/15"
+updated_date = "2022/12/20"
 integration = ["endpoint"]

 [rule]
@@ -12,7 +12,7 @@ description = """
 Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious File Creation in /etc for Persistence"
@@ -23,12 +23,12 @@ references = [
 risk_score = 47
 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit", "Lightning Framework"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit", "Lightning Framework", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-file where event.action == "creation" and user.name == "root" and
+file where event.type == "creation" and user.name == "root" and
 file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*")
 and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", "*/snapd", "*/dnf-automatic",
 "*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system")
@@ -3,7 +3,7 @@ creation_date = "2022/07/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/15"
+updated_date = "2022/12/20"
 integration = ["endpoint"]

 [rule]
@@ -12,7 +12,7 @@ description = """
 Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Kernel module load via insmod"
@@ -22,7 +22,7 @@ references = [
 risk_score = 47
 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Rootkit"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Rootkit", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the creation or modification of a K Desktop Environment (KDE) AutoSta
 execute upon each user logon. Adversaries may abuse this method for persistence.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Persistence via KDE AutoStart Script or Desktop File Modification"
@@ -29,7 +29,7 @@ references = [
 risk_score = 47
 rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ false_positives = [
    """,
 ]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Shell via Web Server"
@@ -69,7 +69,7 @@ references = [
 risk_score = 47
 rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies modification of the dynamic linker preload shared object (ld.so.prelo
 payloads by hijacking the dynamic linker used to load libraries.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Modification of Dynamic Linker Preload Shared Object"
@@ -23,7 +23,7 @@ references = [
 risk_score = 47
 rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies an attempt to exploit a local privilege escalation in polkit pkexec (
 variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Privilege Escalation via PKEXEC"
@@ -21,7 +21,7 @@ references = ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/
 risk_score = 73
 rule_id = "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2022/12/20"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ or escape container security boundaries. Threat actors have utilized this binary
 host and access other resources or escalate privileges.
 """
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*"]
+index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Namespace Manipulation Using Unshare"
@@ -25,12 +25,12 @@ references = [
 risk_score = 47
 rule_id = "d00f33e7-b57d-4023-9952-2db91b1767c4"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.type == "start" and event.action == "exec" and
+process where event.type == "start" and event.action : ("exec", "exec_event") and
 process.executable: "/usr/bin/unshare" and
 not process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd", "/usr/bin/unshare") and
 not process.args : "/usr/bin/snap"