From 92d432c78bf9a2b7235c19d1cb73b5c1d6759466 Mon Sep 17 00:00:00 2001
From: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Date: Wed, 21 Jul 2021 11:47:40 -0600
Subject: [PATCH] [Rule Tuning] Creation of Hidden Files and Directories
 (#1357)

* [Rule Tuning] Creation of Hidden Files and Directories
* Remove redundant `A` from the regex

(cherry picked from commit 9b559d0cd9431545bf4e71b7d3924c025088b62b)
---
 .../linux/defense_evasion_hidden_file_dir_tmp.toml  | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml
index 41c6a9f72..631dc5ddb 100644
--- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml
+++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml
@@ -2,6 +2,7 @@
 creation_date = "2020/04/29"
 maturity = "production"
 updated_date = "2021/03/03"
+min_stack_version = "7.12.0"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +19,7 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
-language = "lucene"
+language = "eql"
 license = "Elastic License v2"
 max_signals = 33
 name = "Creation of Hidden Files and Directories"
@@ -27,13 +28,13 @@ rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process AND event.type:(start or process_started) AND
-  process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm") AND
-  process.args:/\.[a-zA-Z0-9_\-][a-zA-Z0-9_\-\.]{1,254}/ AND
-  NOT process.name:(ls or find)
+process where event.type in ("start", "process_started") and
+  process.working_directory in ("/tmp", "/var/tmp", "/dev/shm") and
+  process.args regex~ """\.[a-z0-9_\-][a-z0-9_\-\.]{1,254}""" and
+  not process.name in ("ls", "find")
 '''