[Tuning] event.action and event.type change (#3495)

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
2024-03-13 10:11:21 +01:00
parent 458e67918a
commit 9f8638a004
81 changed files with 215 additions and 202 deletions
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/19"
+updated_date = "2024/03/08"

 [transform]
 [[transform.osquery]]
@@ -140,7 +140,7 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=1s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
   process.name == "cat" and process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
  [network where host.os.type == "linux" and event.action in ("connection_attempted", "disconnect_received") and
   process.name == "cat" and not (destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [transform]
 [[transform.osquery]]
@@ -148,7 +148,7 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=1s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
   process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and 
   process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
  [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and 
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [transform]
 [[transform.osquery]]
@@ -148,10 +148,10 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=1m
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
   process.args == "server" and process.args in ("--port", "-p", "--reverse", "--backend", "--socks5") and 
   process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
-  [network where host.os.type == "linux" and event.action == "connection_accepted" and event.type == "start" and 
+  [network where host.os.type == "linux" and event.type == "start" and event.action == "connection_accepted" and 
   destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and 
   not process.name : (
     "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet",
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [transform]
 [[transform.osquery]]
@@ -123,8 +123,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name == "proxychains"
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name == "proxychains"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [transform]
 [[transform.osquery]]
@@ -148,8 +148,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name == "proxychains" and process.args : (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name == "proxychains" and process.args : (
  "ssh", "sshd", "sshuttle", "socat", "iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng",
  "ssf", "3proxy", "ngrok", "gost", "pivotnacci", "chisel*", "nmap", "ping", "python*", "php*", "perl", "ruby",
  "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", "ftp", "curl", "wget"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/19"
+updated_date = "2024/03/08"

 [transform]
 [[transform.osquery]]
@@ -149,8 +149,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
-event.type == "start" and (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and (
  (
    // gost & pivotnacci - spawned without process.parent.name
    (process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or (
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/19"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -61,7 +61,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and 
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and 
 process.name == "gdb" and process.args in ("--pid", "-p") and process.args == "1"
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -37,8 +37,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name == "gdb" and process.args in ("--pid", "-p") and 
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name == "gdb" and process.args in ("--pid", "-p") and 
 /* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */
 process.args != "1"
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -72,8 +72,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name in ("base16", "base32", "base32plain", "base32hex") and
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name in ("base16", "base32", "base32plain", "base32hex") and
 not process.args in ("--help", "--version")
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -56,7 +56,7 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=1s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
   process.name in ("cp", "mv") and process.args : (
   // Shells
   "/bin/*sh", "/usr/bin/*sh", 
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -57,8 +57,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name == "dmesg" and process.args == "-c"
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name == "dmesg" and process.args == "-c"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -58,8 +58,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and (
  (process.name == "systemctl" and process.args == "disable" and process.args == "apparmor") or
  (process.name == "ln" and process.args : "/etc/apparmor.d/*" and process.args == "/etc/apparmor.d/disable/")
 )
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -70,8 +70,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name == "setenforce" and process.args == "0"
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name == "setenforce" and process.args == "0"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.5.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -63,8 +63,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name == "touch" and process.args == "-r" and
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name == "touch" and process.args == "-r" and
 process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -65,7 +65,7 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
 process.name == "rmmod" or (process.name == "modprobe" and process.args in ("--remove", "-r")) and 
 process.parent.name in ("sudo", "bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/01"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -61,7 +61,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
 process.name : ("kworker*", "kthread*") and process.executable != null
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -65,8 +65,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name == "mount" and process.args == "/proc" and process.args == "-o" and
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name == "mount" and process.args == "/proc" and process.args == "-o" and
 process.args : "*hidepid=2*"
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -67,7 +67,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and process.parent.name == "proot"
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
+process.parent.name == "proot"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and 
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and 
 process.parent.name in ("screen", "tmux") and process.name : (
  "nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "python*", "php*", "perl", "ruby",
  "lua*", "openssl", "telnet", "awk", "wget", "curl", "id"
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -61,8 +61,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name == "od" and process.args in (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name == "od" and process.args in (
  "/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/etc/ld.so.preload", "/lib64/ld-linux-x86-64.so.2",
  "/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2", "/usr/lib64/ld-linux-x86-64.so.2"
 )
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.5.0"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -60,8 +60,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name == "find" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name == "find" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.5.0"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -60,8 +60,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name in ("grep", "egrep", "pgrep") and process.args in (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name in ("grep", "egrep", "pgrep") and process.args in (
  "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem"
 )
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -63,7 +63,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
-event.category:process and host.os.type:linux and event.action:(exec or exec_event) and event.type:start and (
+event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (
 (process.name:(lsmod or modinfo)) or 
 (process.name:kmod and process.args:list) or 
 (process.name:depmod and process.args:(--all or -a))
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/20/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -76,8 +76,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name in ("hping", "hping2", "hping3")
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name in ("hping", "hping2", "hping3")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -76,8 +76,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name == "nping"
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name == "nping"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/29"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -58,7 +58,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 process.name in ("cat", "grep") and process.args : "/proc/*/maps" and process.entry_leader.name in (
  "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"
 )
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -57,7 +57,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
 process.name == "getcap" and process.args == "-r" and process.args == "/" and process.args_count == 3 and
 user.id != "0"
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and 
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and 
 process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and 
 not process.args == "--tty-only"

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -50,7 +50,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
 type = "eql"
 query = '''
 sequence by host.id, process.parent.entity_id with maxspan=1s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
   process.name == "id" and process.args_count == 2 and 
   not (process.parent.name == "rpm" or process.parent.args : "/var/tmp/rpm-tmp*")] with runs=20
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6."
 min_stack_version = "8.6.0"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -78,7 +78,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "curl" 
+process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "curl" 
 and (
  process.args : ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or 
  process.env_vars: ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*")
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -54,7 +54,7 @@ sequence by host.id, user.id with maxspan=1m
   process.name in ("curl", "wget", "fetch", "ftp", "sftp", "scp", "rsync", "ld") and 
   file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*",
     "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
   process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.name
  [file where host.os.type == "linux" and event.action == "deletion" and not process.name in ("rm", "ld") and 
   file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*",
@@ -2,7 +2,7 @@
 creation_date = "2023/09/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -56,7 +56,7 @@ tags = ["Domain: Endpoint",
        ]
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and (
  (process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or
  (process.name == "script" and process.args in ("-qc", "-c") and process.args == "/dev/null" and 
   process.args_count == 4)
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -64,7 +64,7 @@ tags = ["Domain: Endpoint",
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and 
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and 
 process.name == "rlwrap" and process.args in ("nc", "ncat", "netcat", "nc.openbsd", "socat") and
 process.args : "*l*" and process.args_count >= 4
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/12/13"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -56,10 +56,10 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id with maxspan=1m
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
   process.name in ("gcc", "g++", "cc")] by process.args
  [file where host.os.type == "linux" and event.action == "creation" and process.name == "ld"] by file.name
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start"] by process.name
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec"] by process.name
  [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip != null and 
   not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.name
 '''
@@ -2,7 +2,7 @@
 creation_date = "2023/09/22"
 integration = ["endpoint", "auditd_manager"]
 maturity = "production"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -59,8 +59,8 @@ tags = [
        ]
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name in (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name in (
  // exploitation frameworks
  "crackmapexec", "msfconsole", "msfvenom", "sliver-client", "sliver-server", "havoc",
  // network scanners (nmap left out to reduce noise)
@@ -2,7 +2,7 @@
 creation_date = "2020/04/15"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -57,7 +57,7 @@ tags = [
 type = "eql"

 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
 (
  (process.parent.name : "python*" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh",
   "fish") and process.parent.args_count >= 3 and process.parent.args : "*pty.spawn*" and process.parent.args : "-c") or
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -59,8 +59,8 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and 
-event.type == "start" and user.name == "postgres" and (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "fork", "fork_event") and 
+user.name == "postgres" and (
  (process.parent.args : "*sh" and process.parent.args : "echo*") or 
  (process.args : "*sh" and process.args : "echo*")
 ) and not process.parent.name : "puppet"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/20"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -56,7 +56,7 @@ tags = [
        ]
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and 
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and 
 process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and 
 process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -74,7 +74,7 @@ sequence by host.id, process.entity_id with maxspan=1s
  "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*",
  "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local"
   ) and destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ]
-[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
  process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and 
  process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ]
 '''
@@ -4,13 +4,13 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
 description = """
-Identifies service creation events of common mining services, possibly indicating the infection 
-of a system with a cryptominer.
+Identifies service creation events of common mining services, possibly indicating the infection of a system with a
+cryptominer.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*", "endgame-*"]
@@ -45,16 +45,21 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Execution",
+        "Data Source: Elastic Endgame",
+        "Data Source: Elastic Defend"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-file where host.os.type == "linux" and event.type == "creation" and
-event.action : ("creation", "file_create_event") and 
+file where host.os.type == "linux" and event.type == "creation" and event.action : ("creation", "file_create_event") and 
 file.name : ("aliyun.service", "moneroocean_miner.service", "c3pool_miner.service", "pnsd.service", "apache4.service", "pastebin.service", "xvf.service")
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
  
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/21"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -59,8 +59,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name in ("curl", "wget") and process.args : (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name in ("curl", "wget") and process.args : (
  "https://thc.org/ssh-it/x", "http://nossl.segfault.net/ssh-it-deploy.sh", "https://gsocket.io/x",
  "https://thc.org/ssh-it/bs", "http://nossl.segfault.net/bs"
 )
@@ -3,7 +3,7 @@ creation_date = "2024/02/01"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/01"
+updated_date = "2024/03/08"
 integration = ["endpoint"]

 [rule]
@@ -61,12 +61,12 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id with maxspan=5s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
   process.parent.name == "apt" and process.args == "-c" and process.name in (
     "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"
   )
  ] by process.entity_id
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name : (
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name : (
     "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*",
     "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk"
   )
@@ -3,7 +3,7 @@ creation_date = "2024/02/01"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/01"
+updated_date = "2024/03/08"
 integration = ["endpoint"]

 [rule]
@@ -61,7 +61,7 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id with maxspan=5s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
   process.parent.name == "apt" and process.args == "-c" and process.name in (
     "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"
    )
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/21"
+updated_date = "2024/03/08"

 [transform]
 [[transform.osquery]]
@@ -126,8 +126,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name == "usermod" and process.args : "-u" and process.args : "0" and process.args : "-o"
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name == "usermod" and process.args : "-u" and process.args : "0" and process.args : "-o"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/21"
+updated_date = "2024/03/08"

 [transform]
 [[transform.osquery]]
@@ -121,8 +121,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.args in (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.args in (
  "root", "admin", "wheel", "staff", "sudo","disk", "video", "shadow", "lxc", "lxd"
 ) and
 (
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/21"
+updated_date = "2024/03/08"

 [transform]
 [[transform.osquery]]
@@ -143,7 +143,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and 
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and 
 process.name == "setcap" and process.args : "cap_set?id+ep" and not process.parent.name in ("jem", "vzctl")
 '''

@@ -3,7 +3,7 @@ creation_date = "2024/02/01"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/01"
+updated_date = "2024/03/08"
 integration = ["endpoint"]

 [rule]
@@ -61,7 +61,7 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id with maxspan=5s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
   process.parent.name == "systemd" and process.name in (
     "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk"
   )
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/21"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -61,8 +61,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*"
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -65,7 +65,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (
+process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
  (process.name == "runc" and process.args == "run") or
  (process.name == "ctr" and process.args == "run" and process.args in ("--privileged", "--mount"))
 ) and not user.Ext.real.id == "0" and not group.Ext.real.id == "0" and 
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/01/15"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -70,10 +70,10 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id, process.parent.entity_id with maxspan=5m
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
   process.name == "mount" and process.args : "/dev/sd*" and process.args_count >= 3 and
   process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
   process.name == "chroot"]
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/01/05"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -54,7 +54,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
 type = "eql"
 query = '''
 sequence by host.id, process.parent.entity_id with maxspan=5s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
    process.name == "enlightenment_sys" and process.args in ("/bin/mount/", "-o","noexec","nosuid","nodev","uid=*") ]
  [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and user.id == "0"]
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/01/09"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -59,10 +59,10 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id, process.entry_leader.entity_id with maxspan=1m
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "gdb" and
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "gdb" and
   (process.thread.capabilities.effective : "CAP_SYS_PTRACE" or process.thread.capabilities.permitted : "CAP_SYS_PTRACE") and 
   user.id != "0"]
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
   process.name != null and user.id == "0"]
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/01/09"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -61,7 +61,7 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id, process.entry_leader.entity_id with maxspan=30s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "gdb" and
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "gdb" and
   (process.thread.capabilities.effective : "CAP_SYS_PTRACE" or process.thread.capabilities.permitted : "CAP_SYS_PTRACE") and
   user.id != "0"]
  [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -48,12 +48,20 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Privilege Escalation",
+        "Tactic: Credential Access",
+        "Data Source: Elastic Endgame",
+        "Data Source: Elastic Defend"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and
-event.type == "start" and process.name == "ln" and process.args in ("-s", "-sf") and 
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
+process.name == "ln" and process.args in ("-s", "-sf") and 
  (
    /* suspicious files */
    (process.args in ("/etc/shadow", "/etc/shadow-", "/etc/shadow~", "/etc/gshadow", "/etc/gshadow-") or 
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/21"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -61,7 +61,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and 
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and 
 process.name == "systemd-run" and process.args == "-t" and process.args_count >= 3 and user.id >= "1000000000"
 '''

@@ -3,7 +3,7 @@ creation_date = "2023/06/09"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/21"
+updated_date = "2024/03/08"
 integration = ["endpoint", "auditd_manager"]

 [rule]
@@ -67,8 +67,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u")
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6."
 min_stack_version = "8.6.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -70,7 +70,7 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s
- [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+ [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
  process.env_vars : "*GLIBC_TUNABLES=glibc.*=glibc.*=*"] with runs=5
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/21"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -58,8 +58,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-network where host.os.type == "linux" and event.action in ("connection_attempted", "ipv4_connection_attempt_event") and
-event.type == "start" and process.name == "sudo"
+network where host.os.type == "linux" and event.type == "start" and
+event.action in ("connection_attempted", "ipv4_connection_attempt_event") and process.name == "sudo"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -53,7 +53,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
 type = "eql"
 query = '''
 sequence by process.parent.entity_id, host.id with maxspan=5s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
    process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*"  and user.id != "0"]
  [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and 
    user.id == "0"]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -52,11 +52,11 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
 type = "eql"
 query = '''
 sequence by host.id with maxspan=1s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and (
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
    (process.name == "tar" and process.args : "--checkpoint=*" and process.args : "--checkpoint-action=*") or
    (process.name == "rsync" and process.args : "-e*") or
    (process.name == "zip" and process.args == "--unzip-command") )]  by process.entity_id
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
     process.parent.name : ("tar", "rsync", "zip") and 
     process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.parent.entity_id
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -53,7 +53,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and 
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and 
 process.name == "debugfs" and process.args : "/dev/sd*" and not process.args == "-R" and 
 not user.Ext.real.id == "0" and not group.Ext.real.id == "0"
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/21"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -61,8 +61,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and process.name == "sudo" and process.args == "-u#-1"
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and process.name == "sudo" and process.args == "-u#-1"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -53,7 +53,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
 type = "eql"
 query = '''
 sequence by host.id, process.session_leader.entity_id with maxspan=15s
-[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
  process.name == "gdb" and process.user.id != "0" and process.group.id != "0" ]
 [ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and 
  process.name == "sudo" and process.user.id == "0" and process.group.id == "0" ]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/19"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -53,7 +53,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=1s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
   process.args : "import os;os.set?id(0);os.system(*)" and process.args : "*python*" and user.id != "0"]
  [process where host.os.type == "linux" and event.action in ("uid_change", "gid_change") and event.type == "change" and 
   (user.id == "0" or group.id == "0")]
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/02/19"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -59,7 +59,7 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id, process.pid with maxspan=1s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
   process.name != null and process.thread.capabilities.effective : ("CAP_CHOWN", "CAP_FOWNER") and
   process.command_line : ("*sudoers*", "*passwd*", "*shadow*", "*/root/*") and user.id != "0"]
  [file where host.os.type == "linux" and event.action == "changed-file-ownership-of" and event.type == "change" and
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/01/08"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -58,7 +58,7 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=1s
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name != null and
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name != null and
   (process.thread.capabilities.effective : "CAP_SET?ID" or process.thread.capabilities.permitted : "CAP_SET?ID") and 
   user.id != "0"]
  [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and 
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -50,11 +50,11 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
 type = "eql"
 query = '''
 sequence by host.id with maxspan=1m
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
   process.name in ("gcc", "g++", "cc") and user.id != "0"] by process.args
  [file where host.os.type == "linux" and event.action == "creation" and event.type == "creation" and 
   process.name == "ld" and user.id != "0"] by file.name
-  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
   user.id != "0"] by process.name
  [process where host.os.type == "linux" and event.action in ("uid_change", "guid_change") and event.type == "change" and 
   user.id == "0"] by process.name
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -37,7 +37,7 @@ timestamp_override = "event.ingested"
 building_block_type = "default"
 query = '''
 event.category:process and host.os.type:"linux" and
-event.action:("exec" or "exec_event" or "executed" or "process_started") and event.type:"start" and
+event.type:"start" and event.action:("exec" or "exec_event" or "executed" or "process_started") and
 process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq")
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [transform]
 [[transform.osquery]]
@@ -121,7 +121,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
 process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and 
 process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -36,7 +36,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
+process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and
 process.name : "* "
 '''

@@ -5,7 +5,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/01/10"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -56,7 +56,7 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic:
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
-event.category:"process" and host.os.type:"linux" and event.action:"exec" and event.type:"start" and process.name:* and
+event.category:"process" and host.os.type:"linux" and event.type:"start" and event.action:"exec" and process.name:* and
 (process.thread.capabilities.effective:"CAP_NET_RAW" or process.thread.capabilities.permitted:"CAP_NET_RAW") and
 not user.id:"0"
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and (
+process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and (
  process.name: "uname" or (
  process.name: ("cat", "more", "less") and process.args: ("*issue*", "*version*", "*profile*", "*services*", "*cpuinfo*")
  )
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and ( 
+process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( 
  (process.name in ("groups", "id")) or 
  (process.name == "dscl" and process.args : ("/Active Directory/*", "/Users*", "/Groups*")) or
  (process.name == "dscacheutil" and process.args in ("user", "group")) or
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -35,8 +35,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and (
  process.name in ("ldapsearch", "dscacheutil") or (process.name == "dscl" and process.args : "*-list*")
 )
 '''
@@ -5,7 +5,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/01"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and (
  (process.name == "tail" and process.args == "-c") or
  (process.name == "cmp" and process.args == "-i") or
  (process.name in ("hexdump", "xxd") and process.args == "-s") or
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where event.action in ("exec", "exec_event") and event.type == "start" and process.name in (
+process where event.type == "start" and event.action in ("exec", "exec_event") and process.name in (
  "ps", "pstree", "htop", "pgrep"
 ) and 
 not process.parent.name in ("amazon-ssm-agent", "snap")
@@ -5,7 +5,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/05"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -36,7 +36,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
 process.name in ("grep", "egrep", "fgrep", "rgrep") and process.args in ("[stack]", "[vdso]", "[heap]")
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -33,7 +33,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
+process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and
 process.name in ("netstat", "lsof", "who", "w")
 '''

@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"
 bypass_bbr_timing = true

 [rule]
@@ -37,8 +37,8 @@ timestamp_override = "event.ingested"
 building_block_type = "default"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "executed", "process_started") and
-event.type == "start" and (
+process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
+ and (
  (process.name in ("nc", "ncat", "netcat", "nc.openbsd") and 
   process.args == "-U" and process.args : ("/usr/local/*", "/run/*", "/var/run/*")) or
  (process.name == "socat" and 
@@ -5,7 +5,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/01/10"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -62,7 +62,7 @@ tags = [
 type = "new_terms"
 timestamp_override = "event.ingested"
 query = '''
-event.category:"process" and host.os.type:"linux" and event.action:"exec" and event.type:"start" and process.name:* and
+event.category:"process" and host.os.type:"linux" and event.type:"start" and event.action:"exec" and process.name:* and
 (process.thread.capabilities.effective:"CAP_SYS_ADMIN" or process.thread.capabilities.permitted:"CAP_SYS_ADMIN") and
 not user.id:"0"
 '''
@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2024/02/22"
+updated_date = "2024/03/08"

 [rule]
 author = ["Elastic"]
@@ -36,7 +36,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where event.action in ("exec", "exec_event", "executed", "process_started") and event.type == "start" and
+process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and
 process.name == "trap" and process.args : "SIG*"
 '''