[metadata] creation_date = "2023/07/10" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" updated_date = "2026/03/02" [rule] author = ["Elastic"] building_block_type = "default" description = """ This rule identifies Linux system information discovery activity via built-in commands that read common system files. Adversaries may use these commands to gather information about the operating system, installed services, and hardware configuration to aid in further exploration and exploitation of the system. """ from = "now-119m" index = ["logs-endpoint.events.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*",] interval = "60m" language = "kuery" license = "Elastic License v2" name = "Linux System Information Discovery" risk_score = 21 rule_id = "b81bd314-db5b-4d97-82e8-88e3e5fc9de5" severity = "low" tags = [ "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: SentinelOne", ] timestamp_override = "event.ingested" type = "new_terms" query = ''' event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event or start) and process.name:("cat" or "more" or "less" or "nano" or "vi" or "vim" or "vim.basic" or "emacs") and process.args:( "/etc/issue" or "/etc/os-release" or "/proc/version" or "/etc/profile" or "/proc/cpuinfo" or "/etc/services" or "/etc/lsb-release" or "/etc/redhat-release" or "/etc/debian_version" or "/etc/hostname" ) and not process.parent.executable:("/usr/local/jamf/bin/jamf" or "/etc/cp/watchdog/cp-nano-watchdog") ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable", "process.command_line", "host.id"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-5d"