[Rule Tuning] Several rule tunings (#3024)
* [Rule Tuning] Several rule tunings
* Added 1 more
* optimized ransomware encryption rules
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml
* Added 2 more tunings based on todays telemetry
* Some tunings
* Tuning
* Tuning
* fixed user.id comparison
* Something went wrong with deprecation
* Something went wrong with deprecation
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/discovery_linux_nping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/linux/discovery_linux_hping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Dedeprecated the rule to deprecate later
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
(cherry picked from commit a1716bd673)
This commit is contained in:
Ruben Groenewoud
committed by
github-actions[bot]
github-actions[bot]
parent
939800bb03
commit
ed2daecb25
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4"
|
||||
min_stack_version = "8.4.0"
|
||||
updated_date = "2023/06/14"
|
||||
updated_date = "2023/08/24"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,19 +28,15 @@ timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
host.os.type : "linux" and event.category : "process" and
|
||||
event.action : ("exec" or "exec_event" or "fork" or "fork_event") and
|
||||
process.executable : (
|
||||
host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and
|
||||
process.executable:(
|
||||
/bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or
|
||||
/etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or
|
||||
/usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*
|
||||
) and process.args : (
|
||||
"whoami" or "id" or "hostname" or "uptime" or "top" or "ifconfig" or "netstat" or "route" or
|
||||
"ps" or "pwd" or "ls"
|
||||
) and not process.name : (
|
||||
"sudo" or "which" or "whoami" or "id" or "hostname" or "uptime" or "top" or "netstat" or "ps" or
|
||||
"pwd" or "ls" or "apt" or "dpkg" or "yum" or "rpm" or "dnf" or "dockerd" or "snapd" or "snap"
|
||||
)
|
||||
/usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*)
|
||||
and process.args:(whoami or id or hostname or uptime or top or ifconfig or netstat or route or ps or pwd or ls) and
|
||||
not process.name:(sudo or which or whoami or id or hostname or uptime or top or netstat or ps or pwd or ls or apt or
|
||||
dpkg or yum or rpm or dnf or dockerd or docker or snapd or snap) and
|
||||
not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
Reference in New Issue
Block a user