[Rule Tuning] Several rule tunings (#3024)
* [Rule Tuning] Several rule tunings
* Added 1 more
* optimized ransomware encryption rules
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml
* Added 2 more tunings based on todays telemetry
* Some tunings
* Tuning
* Tuning
* fixed user.id comparison
* Something went wrong with deprecation
* Something went wrong with deprecation
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/discovery_linux_nping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/linux/discovery_linux_hping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Dedeprecated the rule to deprecate later
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
(cherry picked from commit a1716bd673)
This commit is contained in:
Ruben Groenewoud
committed by
github-actions[bot]
github-actions[bot]
parent
939800bb03
commit
ed2daecb25
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/08/02"
|
||||
updated_date = "2023/08/22"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,20 +25,18 @@ severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"]
|
||||
type = "eql"
|
||||
query = '''
|
||||
sequence by host.id, process.entity_id with maxspan=1s
|
||||
[ file where host.os.type == "linux" and event.type == "change" and
|
||||
event.action == "rename" and file.extension != "" and
|
||||
file.path : (
|
||||
"/home/*", "/etc/*", "/root/*", "/opt/*", "/var/backups/*", "/var/lib/log/*"
|
||||
) and not
|
||||
file.extension : (
|
||||
"xml", "json", "conf", "dat", "gz", "info", "mod", "final",
|
||||
"php", "pyc", "log", "bak", "bin", "csv", "pdf", "cfg", "*old"
|
||||
) and not
|
||||
process.name : (
|
||||
"dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
|
||||
"conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy"
|
||||
) ] with runs=100 | tail 1
|
||||
sequence by host.id, process.entity_id with maxspan=1s
|
||||
[file where host.os.type == "linux" and event.type == "change" and event.action == "rename" and file.extension : "?*"
|
||||
and ((process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "ash", "openssl")) or
|
||||
(process.executable : ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/var/run/*", "/boot/*", "/srv/*", "/run/*"))) and
|
||||
file.path : (
|
||||
"/home/*/Downloads/*", "/home/*/Documents/*", "/root/*", "/bin/*", "/usr/bin/*",
|
||||
"/opt/*", "/etc/*", "/var/log/*", "/var/lib/log/*", "/var/backup/*", "/var/www/*") and not ((
|
||||
process.name : (
|
||||
"dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
|
||||
"conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
|
||||
"systemsettings", "vmis-launcher")) or file.path : "/etc/selinux/*" or (file.extension in ("qmlc", "txt")
|
||||
))] with runs=25
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
|
||||
Reference in New Issue
Block a user