[BUG] test_all_rule_queries_optimized does not run on rules (#2823)

* Fixed kql -> kuery in test_all_rule_queries_opt... * all queries optimized * manually reconciled all rules that failed due to toml escaped chars * merge rules from main * Rules needing optimization * Fix optimized note * fix another note * another note fix * fixing whitespace * Updated for readability --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
2023-06-23 14:58:31 +00:00
parent d829b145ef
commit aaa4ce2ea0
14 changed files with 201 additions and 190 deletions
@@ -4,16 +4,16 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
 min_stack_version = "8.6.0"
-updated_date = "2023/06/09"
+updated_date = "2023/06/22"

 [rule]
 author = ["Elastic"]
 description = """
-This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object 
-file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While 
-this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute 
-unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows 
-malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the 
+This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object
+file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While
+this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute
+unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows
+malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the
 affected system and its data.
 """
 from = "now-9m"
@@ -21,9 +21,7 @@ index = ["logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Shared Object Created or Changed by Previously Unknown Process"
-references = [
-    "https://threatpost.com/sneaky-malware-backdoors-linux/180158/"
-]
+references = ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"]
 risk_score = 47
 rule_id = "aebaa51f-2a91-4f6a-850b-b601db2293f4"
 severity = "medium"
@@ -32,23 +30,25 @@ timestamp_override = "event.ingested"
 type = "new_terms"

 query = '''
-host.os.type : "linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and 
-file.path : (/usr/lib/* or /dev/shm/*) and file.extension : "so" and process.name : * and not 
-process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "5")
+host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and 
+file.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and 
+process.name:(* and not (5 or dockerd or dpkg or rpm or snapd))
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
 id = "T1574"
 name = "Hijack Execution Flow"
 reference = "https://attack.mitre.org/techniques/T1574/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1574.006"
 name = "Dynamic Linker Hijacking"
 reference = "https://attack.mitre.org/techniques/T1574/006/"

+
+
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
@@ -57,7 +57,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/"
 [rule.new_terms]
 field = "new_terms_fields"
 value = ["file.path", "process.name"]
-
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-7d"
+
+