[Rule Tuning] Some Tunings of several 8.9 rules (#2985)

* [Rule Tuning] Doing some quick tunings * updated_date bump * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_sysctl_enumeration.toml * Update rules/linux/persistence_init_d_file_creation.toml * Update rules/linux/persistence_rc_script_creation.toml * Update rules/linux/persistence_shared_object_creation.toml * deprecate rule * deprecate rule * Update execution_abnormal_process_id_file_created.toml * Update discovery_kernel_module_enumeration_via_proc.toml * Update discovery_linux_modprobe_enumeration.toml * Update execution_remote_code_execution_via_postgresql.toml * Update discovery_potential_syn_port_scan_detected.toml * Added 2 tunings, sorry I missed those.. * One more tune * Update discovery_suspicious_proc_enumeration.toml
2023-08-03 15:25:33 +02:00
parent 03110fb24c
commit a7ff449fbc
23 changed files with 128 additions and 109 deletions
@@ -1,10 +1,11 @@
 [metadata]
 creation_date = "2022/05/16"
+deprecation_date = "2023/07/31"
 integration = ["endpoint"]
-maturity = "production"
+maturity = "deprecated"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/06/22"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
@@ -88,15 +88,14 @@ and source.ip : (
        "FF00::/8")
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1071"
 name = "Application Layer Protocol"
 reference = "https://attack.mitre.org/techniques/T1071/"

-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
@@ -105,8 +104,7 @@ reference = "https://attack.mitre.org/tactics/TA0011/"
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["destination.ip", "process.executable"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-2d"
-
-
+value = "now-7d"
@@ -2,9 +2,9 @@
 creation_date = "2020/04/23"
 integration = ["endpoint"]
 maturity = "production"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
+min_stack_version = "8.6.0"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
 ]
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
-language = "eql"
+language = "kuery"
 license = "Elastic License v2"
 name = "Enumeration of Kernel Modules"
 risk_score = 47
@@ -29,27 +29,32 @@ rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504"
 severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
 timestamp_override = "event.ingested"
-type = "eql"
-
+type = "new_terms"
 query = '''
-process where host.os.type == "linux" and event.type == "start" and 
-((process.name == "kmod" and process.args == "list") or (process.name == "modinfo" and process.parent.user.id != "0") or 
-(process.name == "depmod" and process.args in ("--all", "-a") and process.parent.user.id != "0") 
-or process.name == "lsmod") and not process.parent.name : ("vboxmanage", "virtualbox", "prime-offload", "vboxdrv.sh") and not 
-process.group_leader.name : "qualys-cloud-agent"
+event.category:process and host.os.type:linux and event.type:start and (
+ (process.name:(lsmod or modinfo)) or 
+ (process.name:kmod and process.args:list) or 
+ (process.name:depmod and process.args:(--all or -a))
+) and not process.parent.user.id:0
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
+
 id = "T1082"
 name = "System Information Discovery"
 reference = "https://attack.mitre.org/techniques/T1082/"

-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"

+[rule.new_terms]
+field = "new_terms_fields"
+value = ["process.parent.name", "host.id"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/12"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
@@ -41,29 +41,29 @@ For this detection rule to trigger, the following additional audit rules are req
 ```
 Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
 """
-risk_score = 47
+risk_score = 21
 rule_id = "80084fa9-8677-4453-8680-b891d3c0c778"
-severity = "medium"
+severity = "low"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
-file where host.os.type == "linux" and event.action == "opened-file" and 
-file.path == "/proc/modules" and not process.parent.pid == 1
+file where host.os.type == "linux" and event.action == "opened-file" and file.path == "/proc/modules" and not 
+(
+  process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "SchedulerRunner", "grep") or 
+  process.parent.pid == 1 or process.title : "*grep*"
+)
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1082"
 name = "System Information Discovery"
 reference = "https://attack.mitre.org/techniques/T1082/"

-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
-
@@ -4,15 +4,15 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/06"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
 description = """
-Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized 
-access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or 
-unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities 
-within the system.
+Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or 
+manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized
+kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the 
+system.
 """
 from = "now-9m"
 index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
@@ -47,9 +47,12 @@ tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and
+file where host.os.type == "linux" and event.action == "opened-file" and
 file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not 
-(process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod") or process.title : ("*grep*") or process.parent.pid == 1)
+(
+  process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp") or 
+  process.title : "*grep*" or process.parent.pid == 1
+)
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/06"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
@@ -48,7 +48,8 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and
-file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and not process.name == "auditbeat"
+file.path : ("/etc/sysctl.conf", "/etc/sysctl.d", "/etc/sysctl.d/*") and 
+not process.name in ("auditbeat", "systemd-sysctl")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/09"
+updated_date = "2023/08/03"

 [rule]
 author = ["Elastic"]
@@ -38,16 +38,17 @@ For this detection rule to trigger, the following additional audit rules are req

 Add the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
 """
-risk_score = 47
+risk_score = 21
 rule_id = "0787daa6-f8c5-453b-a4ec-048037f6c1cd"
-severity = "medium"
+severity = "low"
 tags = ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
 timestamp_override = "event.ingested"
 type = "threshold"

 query = '''
 host.os.type : "linux" and event.category : "file" and event.action : "opened-file" and 
-file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.parent.pid : 1
+file.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : "pidof" and 
+not process.parent.pid : 1
 '''

 [[rule.threat]]
@@ -72,4 +73,4 @@ field = ["host.id", "process.pid", "process.name"]
 value = 1
 [[rule.threshold.cardinality]]
 field = "file.path"
-value = 25
+value = 100
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/06/22"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
@@ -80,11 +80,12 @@ type = "new_terms"

 query = '''
 host.os.type : "linux" and event.category : "file" and event.action : ("creation" or "file_create_event") and
-user.id : "0" and file.path : (/var/run/* or /run/*) and file.extension : ("pid" or "lock" or "reboot") and not 
-file.name : ("auditd.pid" or "python*" or "apport.pid" or "apport.lock" or "kworker*" or "gdm3.pid" or "sshd.pid" or 
+user.id : "0" and file.extension : ("pid" or "lock" or "reboot") and file.path : (/var/run/* or /run/*) and not 
+file.name : ("auditd.pid" or python* or "apport.pid" or "apport.lock" or kworker* or "gdm3.pid" or "sshd.pid" or 
 "acpid.pid" or "unattended-upgrades.lock" or "unattended-upgrades.pid" or "cmd.pid" or "yum.pid" or "netconfig.pid" or 
 "docker.pid" or "atd.pid" or "lfd.pid" or "atop.pid" or "nginx.pid" or "dhclient.pid" or "smtpd.pid" or "stunnel.pid" or 
-"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid")
+"1_waagent.pid" or "crond.pid" or "cron.reboot" or "sssd.pid" or "tomcat8.pid" or "winbindd.pid" or "chronyd.pid") and
+not process.name : ("runc" or "ufw" or "snapd" or "snap" or "iptables")
 '''

 [[rule.threat]]
@@ -106,4 +107,4 @@ value = ["process.executable", "file.path"]

 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-7d"
+value = "now-14d"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/20"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
@@ -20,15 +20,18 @@ index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Code Execution via Postgresql"
-risk_score = 73
+risk_score = 47
 rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e"
-severity = "high"
+severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
 type = "eql"

 query = '''
 process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and 
-event.type == "start" and user.name == "postgres" and (process.parent.args : "*sh" or process.args : "*sh")
+event.type == "start" and user.name == "postgres" and (
+  (process.parent.args : "*sh" and process.parent.args : "echo*") or 
+  (process.args : "*sh" and process.args : "echo*")
+) and not process.parent.name : "puppet"
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/15"
+updated_date = "2023/08/02"

 [rule]
 author = ["Elastic"]
@@ -19,9 +19,9 @@ index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious File Changes Activity Detected"
-risk_score = 73
+risk_score = 47
 rule_id = "28738f9f-7427-4d23-bc69-756708b5f624"
-severity = "high"
+severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"]
 type = "eql"
 query = '''
@@ -36,20 +36,20 @@ sequence by host.id, process.entity_id with maxspan=1s
      "php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old"
      ) and not 
    process.name : (
-      "dpkg",  "yum", "dnf", "rpm", "dockerd"
+      "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d", 
+      "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy"
    ) ] with runs=100 | tail 1
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1486"
 name = "Data Encrypted for Impact"
 reference = "https://attack.mitre.org/techniques/T1486/"

-
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
-reference = "https://attack.mitre.org/tactics/TA0040/"
+reference = "https://attack.mitre.org/tactics/TA0040/"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/15"
+updated_date = "2023/08/02"

 [rule]
 author = ["Elastic"]
@@ -20,9 +20,9 @@ index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential Linux Ransomware Note Creation Detected"
-risk_score = 73
+risk_score = 47
 rule_id = "c8935a8b-634a-4449-98f7-bb24d3b2c0af"
-severity = "high"
+severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"]
 type = "eql"
 query = '''
@@ -43,19 +43,18 @@ sequence by host.id, process.entity_id with maxspan=1s
    file.name : (
      "*crypt*", "*restore*", "*lock*", "*recovery*", "*data*", 
      "*read*", "*instruction*", "*how_to*", "*ransom*"
-      ) ] | tail 1
+      ) and not process.name : ("go", "java", "pip*", "python*", "node", "containerd") ] | tail 1
 '''

-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1486"
 name = "Data Encrypted for Impact"
 reference = "https://attack.mitre.org/techniques/T1486/"

-
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
-reference = "https://attack.mitre.org/tactics/TA0040/"
+reference = "https://attack.mitre.org/tactics/TA0040/"
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
 min_stack_version = "8.6.0"
-updated_date = "2023/06/09"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
@@ -31,8 +31,9 @@ type = "new_terms"
 query = '''
 host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and 
 file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or 
-/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /var/spool/cron/* or /usr/sbin/cron or /usr/sbin/anacron) 
-and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd") or file.extension : "swp")
+/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) 
+and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "5") or 
+file.extension : ("swp" or "swx"))
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/07/20"
+updated_date = "2023/07/31"

 [transform]
 [[transform.osquery]]
@@ -132,8 +132,8 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
 host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and 
-file.path : /etc/init.d/* and not process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not 
-file.extension : "swp"
+file.path : /etc/init.d/* and not process.name : ("dpkg" or "dockerd" or "rpm" or "chef-client" or "apk" or "yum" or 
+"rpm" or "vmis-launcher" or "exe") and not file.extension : ("swp" or "swx")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/07/20"
+updated_date = "2023/07/31"

 [transform]
 [[transform.osquery]]
@@ -126,7 +126,8 @@ type = "new_terms"
 query = '''
 host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and 
 file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not 
-process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not file.extension : "swp"
+process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm" or "/kaniko/executor") and not 
+file.extension : ("swp" or "swx")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/07/20"
+updated_date = "2023/07/31"

 [transform]
 [[transform.osquery]]
@@ -127,7 +127,8 @@ query = '''
 process where host.os.type == "linux" and 
 event.type == "start" and event.action : ("exec", "exec_event") and
 process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and
-process.executable : ("*sh", "python*", "perl", "php*")
+process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "perl", "php*", "nc", "ncat", 
+"netcat", "socat", "lua", "java", "openssl", "ruby", "telnet", "awk")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/07/20"
+updated_date = "2023/07/31"

 [transform]
 [[transform.osquery]]
@@ -111,7 +111,7 @@ type = "new_terms"
 query = '''
 host.os.type : "linux" and event.category : "file" and 
 event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and
-file.path : "/etc/rc.local" and not file.extension : "swp"
+file.path : "/etc/rc.local" and not process.name : ("dockerd" or "yum" or "rpm" or "dpkg") and not file.extension : ("swp" or "swx")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
 min_stack_version = "8.6.0"
-updated_date = "2023/06/22"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
@@ -32,7 +32,7 @@ type = "new_terms"
 query = '''
 host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and 
 file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and 
-process.name:(* and not (5 or dockerd or dpkg or rpm or snapd))
+process.name: ( * and not ("5" or "dockerd" or "dpkg" or "rpm" or "snapd" or "exe" or "yum" or "vmis-launcher"))
 '''


@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/07/20"
+updated_date = "2023/07/31"

 [transform]
 [[transform.osquery]]
@@ -142,7 +142,7 @@ query = '''
 host.os.type : "linux" and event.action : ("creation" or "file_create_event") and file.extension : "timer" and
 file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or 
 /usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not 
-process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm")
+process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm" or "/proc/self/exe" or "/usr/sbin/dockerd")
 '''

 [[rule.threat]]
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
 min_stack_version = "8.6.0"
-updated_date = "2023/06/09"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
@@ -34,7 +34,8 @@ query = '''
 host.os.type : "linux" and event.action : ("creation" or "file_create_event") and
 file.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or 
 /usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not 
-(process.name : ("dpkg" or "dockerd" or "rpm" or "snapd") or file.extension : "swp")
+(process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "dnf-automatic" or python* or 
+ "elastic-agent" or "cinc-client") or file.extension : ("swp" or "swx"))
 '''

 [[rule.threat]]
@@ -3,7 +3,7 @@ creation_date = "2023/06/09"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/09"
+updated_date = "2023/07/31"
 integration = ["endpoint"]

 [rule]
@@ -25,9 +25,9 @@ references = [
    "https://www.makeuseof.com/what-is-venom-vulnerability/",
    "https://madaidans-insecurities.github.io/guides/linux-hardening.html"
 ]
-risk_score = 73
+risk_score = 47
 rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957"
-severity = "high"
+severity = "medium"
 tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion"]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/05/26"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
@@ -20,19 +20,19 @@ index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Network Sweep Detected"
-
-risk_score = 47
+risk_score = 21
 rule_id = "781f8746-2180-4691-890c-4c96d11ca91d"
-severity = "medium"
+severity = "low"
 tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
 type = "threshold"
-
 query = '''
-destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986)
+destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and 
+source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 '''

 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1046"
 name = "Network Service Discovery"
@@ -64,5 +64,6 @@ reference = "https://attack.mitre.org/tactics/TA0043/"
 field = ["source.ip"]
 value = 1
 [[rule.threshold.cardinality]]
+
 field = "destination.ip"
-value = 10
+value = 100
@@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/05/26"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
@@ -21,19 +21,18 @@ index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Network Scan Detected"
-
-risk_score = 47
+risk_score = 21
 rule_id = "0171f283-ade7-4f87-9521-ac346c68cc9b"
-severity = "medium"
+severity = "low"
 tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
 type = "threshold"
-
 query = '''
-destination.port :* and event.action: ("network_flow" or "connection_accepted" or "connection_attempted" )
+destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 '''

 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1046"
 name = "Network Service Discovery"
@@ -46,6 +45,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/"

 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1595"
 name = "Active Scanning"
@@ -64,6 +64,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/"
 [rule.threshold]
 field = ["destination.ip", "source.ip"]
 value = 1
+
 [[rule.threshold.cardinality]]
 field = "destination.port"
-value = 20
+value = 250
@@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/05/26"
+updated_date = "2023/07/31"

 [rule]
 author = ["Elastic"]
@@ -21,19 +21,18 @@ index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential SYN-Based Network Scan Detected"
-
-risk_score = 47
+risk_score = 21
 rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409"
-severity = "medium"
+severity = "low"
 tags = ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"]
 type = "threshold"
-
 query = '''
-destination.port :* and network.packets <= 2
+destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 '''

 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1046"
 name = "Network Service Discovery"
@@ -46,6 +45,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/"

 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1595"
 name = "Active Scanning"
@@ -64,6 +64,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/"
 [rule.threshold]
 field = ["destination.ip", "source.ip"]
 value = 1
+
 [[rule.threshold.cardinality]]
 field = "destination.port"
-value = 10
+value = 250