From f02325fe2f355845e92dbcebb0d3bb4acb0eb9db Mon Sep 17 00:00:00 2001
From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Date: Thu, 2 Jun 2022 10:36:23 +0530
Subject: [PATCH] [Rule Tuning] Add MITRE Details to exisisting hpining
 activity rule. (#2012)

* Add MITRE Details to existing hping activity rule.
---
 ...oml => discovery_linux_hping_activity.toml} | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)
 rename rules/linux/{linux_hping_activity.toml => discovery_linux_hping_activity.toml} (71%)

diff --git a/rules/linux/linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml
similarity index 71%
rename from rules/linux/linux_hping_activity.toml
rename to rules/linux/discovery_linux_hping_activity.toml
index 429d1a38b..6e9d79e96 100644
--- a/rules/linux/linux_hping_activity.toml
+++ b/rules/linux/discovery_linux_hping_activity.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/06/02"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ references = ["https://en.wikipedia.org/wiki/Hping"]
 risk_score = 73
 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52"
 severity = "high"
-tags = ["Elastic", "Host", "Linux", "Threat Detection"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
 timestamp_override = "event.ingested"
 type = "query"
 
@@ -32,3 +32,17 @@ query = '''
 event.category:process and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)
 '''
 
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1082"
+name = "System Information Discovery"
+reference = "https://attack.mitre.org/techniques/T1082/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+