[Docs | Rule Tuning] Add blog references to rules (#4097)

* [Docs | Rule Tuning] Add blog references to rules * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Apply suggestions from code review * Update google_workspace blog references * add okta blog references * Update dates --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
2024-09-25 15:19:20 -05:00
parent 0ed6b3f0a2
commit b80d8342d6
164 changed files with 970 additions and 499 deletions
@@ -2,15 +2,15 @@
 creation_date = "2024/06/03"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/07/30"
+updated_date = "2024/09/23"

 [rule]
 author = ["Elastic"]
 description = """
-This rule monitors for the addition of an executable bit for scripts that are located in directories which are
-commonly abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up
-within your environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set 
-interval to gain persistence onto the system.
+This rule monitors for the addition of an executable bit for scripts that are located in directories which are commonly
+abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up within your
+environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set interval to gain
+persistence onto the system.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.process*", "endgame-*"]
@@ -21,6 +21,7 @@ references = [
    "https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/",
    "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts",
    "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/",
+    "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
 ]
 risk_score = 21
 rule_id = "94418745-529f-4259-8d25-a713a6feb6ae"
@@ -56,10 +57,11 @@ tags = [
    "Use Case: Threat Detection",
    "Tactic: Persistence",
    "Data Source: Elastic Endgame",
-    "Data Source: Elastic Defend"
+    "Data Source: Elastic Defend",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
+
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
 process.args : (
@@ -81,40 +83,42 @@ process.args : (
 ) and not process.parent.executable : "/var/lib/dpkg/*"
 '''

+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
-
 [[rule.threat.technique]]
 id = "T1037"
 name = "Boot or Logon Initialization Scripts"
 reference = "https://attack.mitre.org/techniques/T1037/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1037.004"
 name = "RC Scripts"
 reference = "https://attack.mitre.org/techniques/T1037/004/"

+
 [[rule.threat.technique]]
 id = "T1053"
 name = "Scheduled Task/Job"
 reference = "https://attack.mitre.org/techniques/T1053/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1053.003"
 name = "Cron"
 reference = "https://attack.mitre.org/techniques/T1053/003/"

+
 [[rule.threat.technique]]
 id = "T1547"
 name = "Boot or Logon Autostart Execution"
 reference = "https://attack.mitre.org/techniques/T1547/"
-
 [[rule.threat.technique.subtechnique]]
 id = "T1547.013"
 name = "XDG Autostart Entries"
 reference = "https://attack.mitre.org/techniques/T1547/013/"

+
+
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+