From e994b62ecb838f73fa56d145e529169ebd2f5133 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Wed, 22 Feb 2023 09:48:05 +0100 Subject: [PATCH] Removed old, created new rule to bypass "type" bug --- ...> persistence_linux_shell_activity_by_web_server.toml} | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) rename rules/linux/{persistence_shell_activity_by_web_server.toml => persistence_linux_shell_activity_by_web_server.toml} (96%) diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_linux_shell_activity_by_web_server.toml similarity index 96% rename from rules/linux/persistence_shell_activity_by_web_server.toml rename to rules/linux/persistence_linux_shell_activity_by_web_server.toml index e13bdec8286..b3424552cf6 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_by_web_server.toml @@ -1,10 +1,10 @@ [metadata] -creation_date = "2020/02/18" +creation_date = "2023/02/22" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/21" +updated_date = "2023/02/22" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" -name = "Potential Shell via Web Server" +name = "Potential Remote Code Execution via Web Server" note = """## Triage and analysis ### Investigating Potential Shell via Web Server @@ -67,7 +67,7 @@ references = [ "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", ] risk_score = 47 -rule_id = "0bb0296f-0e9f-44e5-b709-bd61e0577fd5" +rule_id = "b7b2c320-d4db-4f8e-8f92-83f9d0c3e6a4" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] timestamp_override = "event.ingested"