[Tuning] Linux DR Tuning - Part 6 (#3457)

* [Tuning] Linux DR Tuning - Part 6

* Update discovery_ping_sweep_detected.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

rules/linux/discovery_ping_sweep_detected.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/09/04"
-integration = ["endpoint"]
+integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/19"
+updated_date = "2024/02/20"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ Adversaries may leverage built-in tools such as ping, netcat or socat to execute
 attempting to evade detection or due to the lack of network mapping tools available on the compromised host. 
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Network Scan Executed From Host"
@@ -48,12 +48,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame",
+        "Data Source: Auditd Manager"
+        ]
 timestamp_override = "event.ingested"
 type = "threshold"
 query = '''
-host.os.type:linux and event.action:exec and event.type:start and 
-process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat)
+event.category:process and host.os.type:linux and event.action:(exec or exec_event or executed or process_started) and
+event.type:start and process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat)
 '''
 
 [[rule.threat]]

rules/linux/discovery_process_capabilities.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/01/09"
+updated_date = "2024/02/20"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies recursive process capability enumeration of the entire filesystem thr
 Malicious users may manipulate identified capabilities to gain root privileges.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Process Capability Enumeration"
@@ -46,11 +46,18 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
 process.name == "getcap" and process.args == "-r" and process.args == "/" and process.args_count == 3 and
 user.id != "0"
 '''

rules/linux/discovery_sudo_allowed_command_enumeration.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/02/20"
 
 [rule]
 author = ["Elastic"]
@@ -47,14 +47,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Data Source: Elastic Defend"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
 process.name == "sudo" and process.args == "-l" and process.args_count == 2 and
 process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and 
-not group.Ext.real.id : "0" and not user.Ext.real.id : "0"
+not group.Ext.real.id : "0" and not user.Ext.real.id : "0" and not process.args == "dpkg"
 '''
 
 [[rule.threat]]

rules/linux/execution_abnormal_process_id_file_created.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/12/13"
+updated_date = "2024/02/20"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Abnormal Process ID or Lock File Created"
@@ -108,13 +108,14 @@ tags = [
         "Tactic: Execution",
         "Threat: BPFDoor",
         "Resources: Investigation Guide",
-        "Data Source: Elastic Defend"
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame"
         ]
 timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-host.os.type:linux and event.category:file and event.action:creation and
+host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and
 user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (
   (process.name : (
     bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)
@@ -123,7 +124,7 @@ user.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* o
     ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*
   ))
 ) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or 
-vzctl or ifup or rpcbind) and
+vzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat) and
 not file.name : (jem.*.pid)
 '''
 

rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6."
 min_stack_version = "8.6.0"
-updated_date = "2023/12/13"
+updated_date = "2024/02/20"
 
 [rule]
 author = ["Elastic"]
@@ -84,7 +84,8 @@ and (
   process.args : ("--socks5-hostname", "--proxy", "--preproxy", "socks5*") or 
   process.env_vars: ("http_proxy=socks5h://*", "HTTPS_PROXY=socks5h://*", "ALL_PROXY=socks5h://*")
 ) and length(process.command_line) > 255 and 
-not process.parent.name in ("cf-agent", "agent-run", "rudder", "agent-inventory", "cf-execd")
+not process.parent.name in ("cf-agent", "agent-run", "agent-check", "rudder", "agent-inventory", "cf-execd") and
+not process.args == "/opt/rudder/bin/curl"
 '''
 
 [[rule.threat]]
@@ -99,4 +100,3 @@ reference = "https://attack.mitre.org/techniques/T1203/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-