[Rule Tuning] Linux DR Tuning - 7 (#5504)

* [Rule Tuning] Linux DR Tuning - 7

* Update execution_egress_connection_from_entrypoint_in_container.toml

* Update execution_kubernetes_direct_api_request_via_curl_or_wget.toml

* Update rules/linux/execution_perl_tty_shell.toml

* Update execution_perl_tty_shell.toml

* Update rules/linux/execution_unix_socket_communication.toml

* Update execution_file_made_executable_via_chmod_inside_container.toml

* Remove duplicate Crowdstrike data source entry

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

rules/linux/execution_python_webserver_spawned.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/19"
 
 [rule]
 author = ["Elastic"]
@@ -55,7 +55,7 @@ Python's built-in HTTP server module allows quick web server deployment, often u
 - Apply patches and updates to the affected system and any related software to mitigate vulnerabilities that may have been exploited.
 - Implement network segmentation to limit the ability of unauthorized processes to communicate across the network.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation and recovery actions are taken."""
-risk_score = 21
+risk_score = 47
 rule_id = "99c2b626-de44-4322-b1f9-157ca408c17e"
 setup = """## Setup
 
@@ -82,7 +82,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",
@@ -96,47 +96,46 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
-  event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
+event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
+(
+  (process.name like "python*" and process.args in ("http.server", "SimpleHTTPServer")) or
   (
-    (process.name like "python*" and process.args in ("http.server", "SimpleHTTPServer")) or
-    (
-      process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
-      process.command_line like~ "*python* -m http.server*"
-    )
+    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
+    process.command_line like~ "*python* -m http.server*"
   )
+) and
+not process.parent.executable == "/usr/lib/systemd/systemd"
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1059.006"
 name = "Python"
 reference = "https://attack.mitre.org/techniques/T1059/006/"
 
-
-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1570"
 name = "Lateral Tool Transfer"
 reference = "https://attack.mitre.org/techniques/T1570/"
 
-
 [rule.threat.tactic]
 id = "TA0008"
 name = "Lateral Movement"
 reference = "https://attack.mitre.org/tactics/TA0008/"
-