From bd46e892f1b7dfd642c63452e4a61476ec4785fe Mon Sep 17 00:00:00 2001
From: ALEXANDER MA COTE <alexcote1rocks@gmail.com>
Date: Thu, 13 Oct 2022 15:53:35 -0400
Subject: [PATCH] add "Windows Azure Linux Agent"'s pid file to list (#2328)

* add "Windows Azure Linux Agent"'s pid file to list

https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux
this tool is default installed on azure linux hosts, can resolve my problem as an exception and have but the tool is common enough in cloud environments that it deserves inclusion.

* Update execution_abnormal_process_id_file_created.toml

* Update rules/linux/execution_abnormal_process_id_file_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
---
 rules/linux/execution_abnormal_process_id_file_created.toml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml
index f954f6f10..7b037a18b 100644
--- a/rules/linux/execution_abnormal_process_id_file_created.toml
+++ b/rules/linux/execution_abnormal_process_id_file_created.toml
@@ -118,7 +118,8 @@ file where event.type == "creation" and user.id == "0" and
     "nginx.pid",
     "dhclient.pid",
     "smtpd.pid",
-    "stunnel.pid"
+    "stunnel.pid",
+    "1_waagent.pid"
     )
 '''