[Rule Tuning] Linux DR Tuning - Part 3

rules/linux/execution_abnormal_process_id_file_created.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/05/11"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/10/17"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -126,8 +126,9 @@ file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and
   ) or
   process.name : (
     go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or
-    rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or
-    s6-ipcserver-socketbinder or xinetd
+    rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or libvirt_leaseshelper or
+    s6-ipcserver-socketbinder or xinetd or libvirtd or veeamdeploymentsvc  or dnsmasq or virtlogd or lynis or
+    veeamtransport
   ) or
   file.name : (
     jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or

rules/linux/execution_file_execution_followed_by_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/28"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -65,9 +65,10 @@ sequence by host.id, user.id with maxspan=1m
      "/tmp/VeeamApp*", "/tmp/rajh/spack-stage/*", "plz-out/bin/vault/bridge/test/e2e/base/bridge-dev",
      "/usr/bin/ranlib", "/usr/bin/ar", "plz-out/bin/vault/bridge/test/e2e/base/local-k8s"
    )] by process.name
-  [file where host.os.type == "linux" and event.action == "deletion" and not process.name in ("rm", "ld") and
-   file.path : ("/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*",
-     "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*")] by file.name
+  [file where host.os.type == "linux" and event.action == "deletion" and
+   file.path : (
+     "/dev/shm/*", "/run/shm/*", "/tmp/*", "/var/tmp/*", "/run/*", "/var/run/*", "/var/www/*", "/proc/*/fd/*"
+    ) and not process.name in ("rm", "ld", "conftest", "link", "gcc", "getarch", "ld")] by file.name
 '''
 note = """## Triage and analysis
 

rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/17"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -136,7 +136,8 @@ sequence by process.entity_id
           or process.args:(">","<")
           /* file transfer via pipe */
           or (process.args:("|") and process.args:("nc","ncat"))
-      )]
+      ) and
+      not process.command_line like~ ("*127.0.0.1*", "*localhost*")]
   [network where host.os.type == "linux" and (process.name == "nc" or process.name == "ncat" or process.name == "netcat" or
                   process.name == "netcat.openbsd" or process.name == "netcat.traditional")]
 '''

rules/linux/execution_network_event_post_compilation.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/28"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -61,7 +61,7 @@ sequence by host.id with maxspan=1m
   [process where host.os.type == "linux" and event.type == "start" and event.action == "exec"] by process.name
   [network where host.os.type == "linux" and event.action == "connection_attempted" and destination.ip != null and not (
      cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1") or
-     process.name in ("simpleX", "conftest", "ssh", "python", "ispnull", "pvtui")
+     process.name in ("simpleX", "conftest", "ssh", "python", "ispnull", "pvtui", "npreal2d", "ruby", "source", "ssh")
    )] by process.name
 '''
 note = """## Triage and analysis

rules/linux/execution_remote_code_execution_via_postgresql.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/06/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -65,7 +65,10 @@ event.action in ("exec", "exec_event", "fork", "fork_event") and user.name == "p
   (process.args : "*sh" and process.args : "echo*")
 ) and not (
   process.parent.name == "puppet" or
-  process.command_line like "*BECOME-SUCCESS-*" or
+  process.command_line like (
+    "*BECOME-SUCCESS-*", "bash -c while true; do sleep 1;*", "df -l", "sleep 1", "who", "head -v -n *", "tail -v -n *",
+    "/bin/sh -c echo BECOME-SUCCESS*", "/usr/bin/python3 /var/tmp/ansible-tmp*"
+  ) or
   process.parent.command_line like "*BECOME-SUCCESS-*"
 )
 '''

rules/linux/execution_shell_openssl_client_or_server.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -65,7 +65,9 @@ process where host.os.type == "linux" and event.type == "start" and event.action
     (process.args == "s_client" and process.args : ("-connect", "*:*") and not process.args == "-showcerts") or
     (process.args == "s_server" and process.args == "-port")
   ) and
-  not process.parent.executable in ("/pro/xymon/client/ext/awsXymonCheck.sh", "/opt/antidot-svc/nrpe/plugins/check_cert")
+  not process.parent.executable in (
+    "/pro/xymon/client/ext/awsXymonCheck.sh", "/opt/antidot-svc/nrpe/plugins/check_cert", "/etc/zabbix/scripts/check_dane_tlsa.sh"
+  )
 '''
 note = """## Triage and analysis
 

rules/linux/execution_unix_socket_communication.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -45,7 +45,10 @@ process where host.os.type == "linux" and event.type == "start" and
   (process.name == "socat" and
    process.args == "-" and process.args : ("UNIX-CLIENT:/usr/local/*", "UNIX-CLIENT:/run/*", "UNIX-CLIENT:/var/run/*"))
 ) and
-not process.args == "/var/run/libvirt/libvirt-sock"
+not (
+  process.args == "/var/run/libvirt/libvirt-sock" or
+  process.parent.name in ("bundle", "ruby", "haproxystatus.sh")
+)
 '''
 note = """## Triage and analysis
 

rules/linux/execution_unknown_rwx_mem_region_binary_executed.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/03/13"
 integration = ["auditd_manager"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -58,7 +58,7 @@ event.category:process and host.os.type:linux and auditd.data.syscall:mprotect a
   process.executable:(
     "/usr/share/kibana/node/bin/node" or "/usr/share/elasticsearch/jdk/bin/java" or "/usr/sbin/apache2"
   ) or
-  process.name:httpd
+  process.name:(httpd or java)
 )
 '''
 note = """## Triage and analysis

rules/linux/execution_unusual_path_invocation_from_command_line.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/06/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/22"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -58,8 +58,8 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
 event.category:process and host.os.type:linux and event.type:start and event.action:exec and
-process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and
-process.args:-c and process.command_line:*PATH=*
+process.name:(bash or csh or dash or fish or ksh or sh or tcsh or zsh) and process.args:-c and
+process.command_line:(*PATH=* and not sh*/run/motd.dynamic.new)
 '''
 note = """## Triage and analysis
 

rules/linux/exfiltration_potential_data_splitting_for_exfiltration.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -73,7 +73,7 @@ process where host.os.type == "linux" and event.type == "start" and
     )
   ) and
   not (
-    process.parent.name in ("apport", "overlayroot") or
+    process.parent.name in ("apport", "overlayroot", "nessus-agent-module") or
     process.args like (
       "if=/tmp/nvim*", "if=/boot/*", "if=/dev/random", "if=/dev/urandom", "/dev/mapper/*",
       "if=*.iso", "of=/dev/stdout", "if=/dev/zero", "if=/dev/sda", "/proc/sys/kernel/*"

rules/linux/impact_memory_swap_modification.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -72,7 +72,8 @@ process.name in ("swapon", "swapoff") or (
       process.command_line like "*echo *"
     )
   )
-)
+) and
+not process.parent.name in ("lynis", "systemd", "end-zram-swapping", "SyxsenseResponder", "tuned", "platform-python", "timeout")
 '''
 note = """## Triage and analysis
 

rules/linux/impact_potential_linux_ransomware_note_detected.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/03/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -65,7 +65,7 @@ sequence by process.entity_id, host.id with maxspan=1s
    not process.name : (
      "dpkg", "yum", "dnf", "rpm", "dockerd", "go", "java", "pip*", "python*", "node", "containerd", "php", "p4d",
      "conda", "chrome", "imap", "cmake", "firefox", "semanage", "semodule", "ansible-galaxy", "fc-cache", "jammy", "git",
-     "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader", "rustup-init"
+     "systemsettings", "vmis-launcher", "bundle", "kudu-tserver", "suldownloader", "rustup-init", "bun"
     )
   ] with runs=25
   [file where host.os.type == "linux" and event.action == "creation" and