From 8766a23ad696f7b6a0d48e5359d4fd16f4a5a2ec Mon Sep 17 00:00:00 2001
From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Date: Thu, 17 Nov 2022 22:55:39 +0530
Subject: [PATCH] Rule Tuning as part of 8.6 (#2398)

---
 rules/linux/persistence_etc_file_creation.toml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml
index 230705365..e9bae72e8 100644
--- a/rules/linux/persistence_etc_file_creation.toml
+++ b/rules/linux/persistence_etc_file_creation.toml
@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/11/17"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,10 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-file where event.action == "creation" and user.name == "root" and file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*") and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd")
+file where event.action == "creation" and user.name == "root" and
+file.path : ("/etc/ld.so.conf.d/*", "/etc/cron.d/*", "/etc/sudoers.d/*", "/etc/rc.d/init.d/*", "/etc/systemd/system/*")
+and not process.executable : ("*/dpkg", "*/yum", "*/apt", "*/dnf", "*/systemd", "*/snapd", "*/dnf-automatic",
+ "*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system")
 '''
 
 [[rule.threat]]