Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] Linux DR Tuning - Part 1 #3316

Merged
merged 11 commits into from
Jan 8, 2024
Merged

[Rule Tuning] Linux DR Tuning - Part 1 #3316

merged 11 commits into from
Jan 8, 2024

Conversation

Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Dec 12, 2023

Summary

Linux DR tuning for the first set of Linux DRs.

@Aegrah Aegrah self-assigned this Dec 12, 2023
@terrancedejesus
Copy link
Collaborator

terrancedejesus commented Dec 19, 2023
edited

@Aegrah - Not entirely sure why your query is failing with wildcards in destination.ip. If we are attempting to ignore internal IPs, the following could be an alternative and does not fail during KQL validation.

host.os.type:linux
  and event.category:network and event.action:(connection_attempted or connection_accepted)
  and process.name:kworker* and not destination.ip:(
    10.0.0.0/8 or
    127.0.0.0/8 or
    169.254.0.0/16 or
    172.16.0.0/12 or
    192.168.0.0/16 or
    224.0.0.0/4 or
    "::1" or
    "FE80::/10" or
    "FF00::/8")

Update

Still digging, but it seems that because destination.ip field type is found to be ip and not keyword or wildcard, wildcards are not allowed....from the KQL parser perspective locally. I checked in Discover and this certainly is allowed so it may be an un update we need to make with the KQL semantics.

Screenshot 2023-12-19 at 2 46 05 PM

@Aegrah
Copy link
Contributor Author

Aegrah commented Dec 19, 2023

@terrancedejesus thanks for digging! Yep I was thinking of applying that change anyway. But indeed, as this is possible in kibana, I figured it would also be possible here. For now, it's not a big deal, so I can just use your suggested workaround. Good to be aware of!

@terrancedejesus terrancedejesus mentioned this pull request Dec 19, 2023
Open
@terrancedejesus
Copy link
Collaborator

Bug issue created: #3351

@Aegrah Aegrah merged commit b533642 into main Jan 8, 2024
13 checks passed
@Aegrah Aegrah deleted the linux-dr-tuning-1 branch January 8, 2024 08:50
protectionsmachine pushed a commit that referenced this pull request Jan 8, 2024
@Aegrah @github-actions
[Rule Tuning] Linux DR Tuning - Part 1 (#3316)
c7f792f 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml

Removed changes from:
- rules/linux/command_and_control_linux_kworker_netcon.toml
- rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
- rules/linux/defense_evasion_file_mod_writable_dir.toml

(selectively cherry picked from commit b533642)
protectionsmachine pushed a commit that referenced this pull request Jan 8, 2024
@Aegrah @github-actions
[Rule Tuning] Linux DR Tuning - Part 1 (#3316)
ae400cf 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml

Removed changes from:
- rules/linux/command_and_control_linux_kworker_netcon.toml
- rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
- rules/linux/defense_evasion_file_mod_writable_dir.toml

(selectively cherry picked from commit b533642)
protectionsmachine pushed a commit that referenced this pull request Jan 8, 2024
@Aegrah @github-actions
[Rule Tuning] Linux DR Tuning - Part 1 (#3316)
25639c6 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml

Removed changes from:
- rules/linux/command_and_control_linux_kworker_netcon.toml
- rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
- rules/linux/defense_evasion_file_mod_writable_dir.toml

(selectively cherry picked from commit b533642)
protectionsmachine pushed a commit that referenced this pull request Jan 8, 2024
@Aegrah @github-actions
[Rule Tuning] Linux DR Tuning - Part 1 (#3316)
89e5c7f 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml

(cherry picked from commit b533642)
protectionsmachine pushed a commit that referenced this pull request Jan 8, 2024
@Aegrah @github-actions
[Rule Tuning] Linux DR Tuning - Part 1 (#3316)
19aa73e 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml

(cherry picked from commit b533642)
protectionsmachine pushed a commit that referenced this pull request Jan 8, 2024
@Aegrah @github-actions
[Rule Tuning] Linux DR Tuning - Part 1 (#3316)
ec0171c 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml

(cherry picked from commit b533642)
protectionsmachine pushed a commit that referenced this pull request Jan 8, 2024
@Aegrah @github-actions
[Rule Tuning] Linux DR Tuning - Part 1 (#3316)
74e7cc4 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml

(cherry picked from commit b533642)
protectionsmachine pushed a commit that referenced this pull request Jan 8, 2024
@Aegrah @github-actions
[Rule Tuning] Linux DR Tuning - Part 1 (#3316)
db58d0c 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml

(cherry picked from commit b533642)
protectionsmachine pushed a commit that referenced this pull request Jan 8, 2024
@Aegrah @github-actions
[Rule Tuning] Linux DR Tuning - Part 1 (#3316)
9017653 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml

(cherry picked from commit b533642)
protectionsmachine pushed a commit that referenced this pull request Jan 8, 2024
@Aegrah @github-actions
[Rule Tuning] Linux DR Tuning - Part 1 (#3316)
c9bb310 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml

(cherry picked from commit b533642)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@w0rk3r w0rk3r w0rk3r approved these changes

@imays11 imays11 imays11 approved these changes

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@eric-forte-elastic eric-forte-elastic Awaiting requested review from eric-forte-elastic

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

Assignees

@Aegrah Aegrah

Labels
Area: RAD backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Aegrah @terrancedejesus @w0rk3r @imays11