From aaf1ab6bb247a878133ade01665c51f8a04ea09c Mon Sep 17 00:00:00 2001
From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Date: Mon, 7 Mar 2022 19:33:11 +0530
Subject: [PATCH] [Rule Tuning] Rule description updates (#1811)

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit f9503f2096e495e9a430e04111c1e7637519707e)
---
 rules/linux/defense_evasion_env_binary.toml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/rules/linux/defense_evasion_env_binary.toml b/rules/linux/defense_evasion_env_binary.toml
index cca34f51d..547458b36 100644
--- a/rules/linux/defense_evasion_env_binary.toml
+++ b/rules/linux/defense_evasion_env_binary.toml
@@ -1,11 +1,15 @@
 [metadata]
 creation_date = "2022/02/24"
 maturity = "production"
-updated_date = "2022/02/24"
+updated_date = "2022/03/04"
 
 [rule]
 author = ["Elastic"]
-description = "Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell"
+description = """
+Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell.This
+activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious
+actor attempting to improve the capabilities or stability of their access
+"""
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
 language = "eql"