[Rule Tuning] Add endgame support for Linux Rules (#2436)

* [Rule Tuning] Add endgame support for Linux Rules * [Rule Tuning] Add endgame support for Linux Rules * . * Update persistence_insmod_kernel_module_load.toml
2023-01-23 20:53:15 -03:00
parent 7cde7901e3
commit 77c8665f11
34 changed files with 109 additions and 109 deletions
@@ -3,7 +3,7 @@ creation_date = "2022/07/11"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/15"
+updated_date = "2022/12/20"
 integration = ["endpoint"]

 [rule]
@@ -12,7 +12,7 @@ description = """
 Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Kernel module load via insmod"
@@ -22,7 +22,7 @@ references = [
 risk_score = 47
 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Rootkit"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Rootkit", "Elastic Endgame"]
 timestamp_override = "event.ingested"
 type = "eql"