From 8d4606d0dc175b8ff2bed02dcc87f42c2c088056 Mon Sep 17 00:00:00 2001
From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Date: Tue, 26 Jul 2022 18:48:25 +0530
Subject: [PATCH] Rule(s) deprecation as part of Linux Detection Rule Review
 (#2163)

(cherry picked from commit e9267e544c1ee91e54c0b8f88ca6496b78a59bda)
---
 ...vasion_attempt_to_disable_iptables_or_firewall.toml |  5 +++--
 ...cution_linux_process_started_in_temp_directory.toml | 10 +++++++---
 .../initial_access_login_failures.toml                 |  5 +++--
 .../initial_access_login_location.toml                 |  5 +++--
 .../initial_access_login_sessions.toml                 |  5 +++--
 .../initial_access_login_time.toml                     |  5 +++--
 6 files changed, 22 insertions(+), 13 deletions(-)
 rename rules/{linux => _deprecated}/defense_evasion_attempt_to_disable_iptables_or_firewall.toml (94%)
 rename rules/{linux => _deprecated}/execution_linux_process_started_in_temp_directory.toml (90%)
 rename rules/{linux => _deprecated}/initial_access_login_failures.toml (93%)
 rename rules/{linux => _deprecated}/initial_access_login_location.toml (93%)
 rename rules/{linux => _deprecated}/initial_access_login_sessions.toml (93%)
 rename rules/{linux => _deprecated}/initial_access_login_time.toml (93%)

diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/_deprecated/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
similarity index 94%
rename from rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
rename to rules/_deprecated/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
index 9b0638931..3aebe10f7 100644
--- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
+++ b/rules/_deprecated/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/04/24"
-maturity = "production"
-updated_date = "2021/03/03"
+deprecation_date = "2022/07/25"
+maturity = "deprecated"
+updated_date = "2022/07/25"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/linux/execution_linux_process_started_in_temp_directory.toml b/rules/_deprecated/execution_linux_process_started_in_temp_directory.toml
similarity index 90%
rename from rules/linux/execution_linux_process_started_in_temp_directory.toml
rename to rules/_deprecated/execution_linux_process_started_in_temp_directory.toml
index 051322e00..0bb7de55c 100644
--- a/rules/linux/execution_linux_process_started_in_temp_directory.toml
+++ b/rules/_deprecated/execution_linux_process_started_in_temp_directory.toml
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/02/18"
-maturity = "production"
-updated_date = "2022/07/18"
+deprecation_date = "2022/07/25"
+maturity = "deprecated"
+updated_date = "2022/07/25"
 
 [rule]
 author = ["Elastic"]
@@ -36,9 +37,12 @@ event.category:process and event.type:(start or process_started) and process.wor
                     /var/lib/command-not-found/)
 '''
 
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
-reference = "https://attack.mitre.org/tactics/TA0002/"
\ No newline at end of file
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
diff --git a/rules/linux/initial_access_login_failures.toml b/rules/_deprecated/initial_access_login_failures.toml
similarity index 93%
rename from rules/linux/initial_access_login_failures.toml
rename to rules/_deprecated/initial_access_login_failures.toml
index 6f1f569b9..886b01706 100644
--- a/rules/linux/initial_access_login_failures.toml
+++ b/rules/_deprecated/initial_access_login_failures.toml
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/08"
-maturity = "production"
-updated_date = "2021/03/03"
+deprecation_date = "2022/07/25"
+maturity = "deprecated"
+updated_date = "2022/07/25"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/linux/initial_access_login_location.toml b/rules/_deprecated/initial_access_login_location.toml
similarity index 93%
rename from rules/linux/initial_access_login_location.toml
rename to rules/_deprecated/initial_access_login_location.toml
index a617d4719..ef086fa67 100644
--- a/rules/linux/initial_access_login_location.toml
+++ b/rules/_deprecated/initial_access_login_location.toml
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/08"
-maturity = "production"
-updated_date = "2021/03/03"
+deprecation_date = "2022/07/25"
+maturity = "deprecated"
+updated_date = "2022/07/25"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/linux/initial_access_login_sessions.toml b/rules/_deprecated/initial_access_login_sessions.toml
similarity index 93%
rename from rules/linux/initial_access_login_sessions.toml
rename to rules/_deprecated/initial_access_login_sessions.toml
index 4016c276d..74b0b1cf8 100644
--- a/rules/linux/initial_access_login_sessions.toml
+++ b/rules/_deprecated/initial_access_login_sessions.toml
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/08"
-maturity = "production"
-updated_date = "2021/03/03"
+deprecation_date = "2022/07/25"
+maturity = "deprecated"
+updated_date = "2022/07/25"
 
 [rule]
 author = ["Elastic"]
diff --git a/rules/linux/initial_access_login_time.toml b/rules/_deprecated/initial_access_login_time.toml
similarity index 93%
rename from rules/linux/initial_access_login_time.toml
rename to rules/_deprecated/initial_access_login_time.toml
index 7e2696c93..2bedf3a4c 100644
--- a/rules/linux/initial_access_login_time.toml
+++ b/rules/_deprecated/initial_access_login_time.toml
@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/08"
-maturity = "production"
-updated_date = "2021/03/03"
+deprecation_date = "2022/07/25"
+maturity = "deprecated"
+updated_date = "2022/07/25"
 
 [rule]
 author = ["Elastic"]