[Rule Tuning] Container Management Utility Run Inside A Container (#4809)

Aegrah · web-flow · commit 103fbf12c8f7 · 2025-06-17T14:30:34.000+02:00
* [Rule Tuning] Container Management Utility Run Inside A Container

* ++
diff --git a/rules/linux/execution_container_management_binary_launched_inside_container.toml b/rules/linux/execution_container_management_binary_launched_inside_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/03/12"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/03/12"
+updated_date = "2025/06/17"
 
 [rule]
 author = ["Elastic"]
@@ -65,8 +65,9 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
-process.entry_leader.entry_meta.type == "container" and
-process.name in ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl")
+process.entry_leader.entry_meta.type == "container" and process.interactive == true and
+process.name in ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "systemd", "crictl") and
+not process.parent.executable in ("/sbin/init", "/usr/bin/dockerd")
 '''
 note = """## Triage and analysis
 
