[Rule Tuning] Rule description updates (#1811)
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
(cherry picked from commit f9503f2096)
This commit is contained in:
shashank-elastic
committed by
github-actions[bot]
github-actions[bot]
parent
c4fea2fc00
commit
aaf1ab6bb2
@@ -1,11 +1,15 @@
|
||||
[metadata]
|
||||
creation_date = "2022/02/24"
|
||||
maturity = "production"
|
||||
updated_date = "2022/02/24"
|
||||
updated_date = "2022/03/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = "Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell"
|
||||
description = """
|
||||
Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell.This
|
||||
activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious
|
||||
actor attempting to improve the capabilities or stability of their access
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
language = "eql"
|
||||
|
||||
Reference in New Issue
Block a user