From b642c55680c4a02fbdb072a0713193682d0d2c54 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Fri, 31 Jan 2025 15:33:21 +0100
Subject: [PATCH] [Rule Tuning] Potential OpenSSH Backdoor Logging Activity
 (#4429)

---
 rules/linux/credential_access_ssh_backdoor_log.toml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml
index e2432df22..802a66e3e 100644
--- a/rules/linux/credential_access_ssh_backdoor_log.toml
+++ b/rules/linux/credential_access_ssh_backdoor_log.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2025/01/24"
+updated_date = "2025/01/29"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ enable unauthorized access or to log SSH credentials for exfiltration.
 """
 false_positives = ["Updates to approved and trusted SSH executables can trigger this rule."]
 from = "now-9m"
-index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
+index = ["auditbeat-*", "logs-endpoint.events.file-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential OpenSSH Backdoor Logging Activity"