[Rule Tuning] Linux DR Tuning - Part 1

rules/linux/command_and_control_ip_forwarding_activity.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -44,7 +44,8 @@ process.parent.executable != null and process.command_line like (
     process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and
     process.command_line like "*echo *"
   )
-)
+) and
+not process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap")
 '''
 note = """## Triage and analysis
 

rules/linux/command_and_control_linux_chisel_client_activity.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/23"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [transform]
 [[transform.osquery]]
@@ -152,7 +152,7 @@ sequence by host.id, process.entity_id with maxspan=3s
   [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
    process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and 
    process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
-   not process.name in ("velociraptor", "nbemmcmd")]
+   not process.name in ("velociraptor", "nbemmcmd", "redis-cli", "ipa")]
   [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and 
    destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and 
    not process.name : (

rules/linux/command_and_control_linux_kworker_netcon.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/10/18"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -68,7 +68,8 @@ process.name:kworker* and not destination.ip:(
   224.0.0.0/4 or
   "::1" or
   "FE80::/10" or
-  "FF00::/8"
+  "FF00::/8" or
+  "0.0.0.0"
 ) and not destination.port:("2049" or "111" or "892" or "597")
 '''
 note = """## Triage and analysis

rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/06/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [transform]
 [[transform.osquery]]
@@ -195,7 +195,7 @@ not (
   process.name : (
     apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or
     kited or node or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or
-    php* or pip* or python* or steam* or terraform*
+    php* or pip* or python* or steam* or terraform* or filebeat or apk or cursor or http
   ) or
   destination.ip:(
     0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or

rules/linux/credential_access_ssh_backdoor_log.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 min_stack_version = "8.13.0"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ references = [
     "https://github.com/eset/malware-ioc/tree/master/sshdoor",
     "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf",
 ]
-risk_score = 73
+risk_score = 21
 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22"
 setup = """## Setup
 
@@ -65,7 +65,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
 #### Custom Ingest Pipeline
 For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
 """
-severity = "high"
+severity = "low"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",

rules/linux/defense_evasion_acl_modification_via_setfacl.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -39,7 +39,9 @@ process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 process.name == "setfacl" and not (
   process.command_line == "/bin/setfacl --restore=-" or
-  process.args == "/var/log/journal/"
+  process.args == "/var/log/journal/" or
+  process.parent.name in ("stats.pl", "perl", "find") or
+  process.parent.command_line like~ "/bin/sh -c *ansible*"
 )
 '''
 note = """## Triage and analysis

rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -65,7 +65,8 @@ process where host.os.type == "linux" and event.type == "start" and event.action
   (process.name == "chkconfig" and process.args == "off") or
   (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
 ) and
-process.args in ("auditd", "auditd.service")
+process.args in ("auditd", "auditd.service") and 
+not process.parent.name == "auditd.prerm"
 '''
 note = """## Triage and analysis
 

rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -77,7 +77,8 @@ process where host.os.type == "linux" and event.action in ("exec", "exec_event",
  ( (process.name == "service" and process.args == "stop") or
    (process.name == "chkconfig" and process.args == "off") or
    (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
- ) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service")
+ ) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") and
+not process.parent.name == "rsyslog-rotate"
 '''
 note = """## Triage and analysis
 

rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/08/29"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -83,7 +83,8 @@ file.Ext.original.path : (
   process.name like (
     "python*", "packagekitd", "systemd", "ln", "platform-python", "dnf_install", "runc", "apt-get", "ssm-agent-worker",
     "convert-usrmerge", "updatenow.static-cpanelsync", "apk", "exe", "php", "containerd-shim-runc-v2", "dpkg", "sed",
-    "platform-python*", "gedit", "crond", "sshd", "ruby", "sudo", "chainctl", "update-alternatives", "pip*"
+    "platform-python*", "gedit", "crond", "sshd", "ruby", "sudo", "chainctl", "update-alternatives", "pip*", "microdnf",
+    "rsync", "convert2rhel", "convert-usr-merge"
   ) or
   file.Ext.original.path : (
     "/bin/*.tmp", "/usr/bin/*.tmp", "/usr/local/bin/*.tmp", "/sbin/*.tmp", "/usr/sbin/*.tmp", "/usr/local/sbin/*.tmp"

rules/linux/defense_evasion_clear_kernel_ring_buffer.toml

@@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/15"
+updated_date = "2025/01/24"
 
 [rule]
 author = ["Elastic"]
@@ -62,7 +62,7 @@ type = "eql"
 
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started")
- and process.name == "dmesg" and process.args == "-c"
+ and process.name == "dmesg" and process.args in ("-c", "--clear")
 '''
 note = """## Triage and analysis
 
@@ -98,32 +98,30 @@ The kernel ring buffer logs system messages, crucial for diagnosing issues. Adve
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 - Conduct a post-incident review to identify gaps in detection and response, and update security policies and procedures to prevent recurrence."""
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1070"
 name = "Indicator Removal"
 reference = "https://attack.mitre.org/techniques/T1070/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1070.002"
 name = "Clear Linux or Mac System Logs"
 reference = "https://attack.mitre.org/techniques/T1070/002/"
 
-
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-