[Rule Tuning] Event Aggregation - Fix event.action & event.type conditions (#4445)

w0rk3r · DefSecSentinel · web-flow · commit 5155f47b86a4 · 2025-02-07T18:42:28.000-03:00
* [Rule Tuning] Event Aggregation - Fix `event.action` &amp; `event.type` conditions

* .

---------

Co-authored-by: Colson Wilhoit &lt;48036388+DefSecSentinel@users.noreply.github.com&gt;
diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/04/26"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -41,8 +41,8 @@ process where container.id: "*" and
 event.type== "start" and
 
 /*D4C consolidates closely spawned event.actions, this excludes end actions to only capture ongoing processes*/
-event.action in ("fork", "exec") and event.action != "end"
- and process.entry_leader.same_as_process== false and
+event.action in ("fork", "exec") and
+ process.entry_leader.same_as_process== false and
 (
 (process.executable: "*/*sh" and process.args: ("-i", "-it")) or
 process.args: "*/*sh"
diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/05/12"
 integration = ["cloud_defend"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 
 [rule]
 author = ["Elastic"]
@@ -45,7 +45,7 @@ type = "eql"
 
 query = '''
 process where container.id: "*" and event.type== "start" and
-event.action in ("fork", "exec") and event.action != "end" and
+event.action in ("fork", "exec") and
 process.name: ("sshd", "ssh", "autossh")
 '''
 note = """## Triage and analysis
diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/02/04"
+updated_date = "2025/02/07"
 
 [rule]
 author = ["Elastic"]
@@ -66,7 +66,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "linux" and event.type != "end" and process.executable == "/usr/sbin/tc" and
+process where host.os.type == "linux" and event.type == "start" and process.executable == "/usr/sbin/tc" and
 process.args == "filter" and process.args == "add" and process.args == "bpf" and
 not process.parent.executable == "/usr/sbin/libvirtd"
 '''
diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/12/07"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/02/07"
 
 [rule]
 author = ["Elastic"]
@@ -61,7 +61,7 @@ type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=30s
  [process where host.os.type == "macos" and event.type == "start" and process.name == "osascript"]
- [network where host.os.type == "macos" and event.type != "end" and process.name == "osascript" and destination.ip != "::1" and
+ [network where host.os.type == "macos" and event.type == "start" and process.name == "osascript" and destination.ip != "::1" and
   not cidrmatch(destination.ip,
     "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
     "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24",
diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/02/04"
 min_stack_version = "8.14.0"
 min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 
@@ -40,7 +40,7 @@ type = "eql"
 
 query = '''
 sequence with maxspan=1m
-  [process where host.os.type == "windows" and event.type != "end" and
+  [process where host.os.type == "windows" and event.type == "start" and
     ((process.name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe",
                       "powershell.exe", "pwsh.exe", "powershell_ise.exe", "WmiPrvSe.exe", "wsmprovhost.exe", "winrshost.exe") or
     process.pe.original_file_name : ("cmd.exe", "wscript.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe", "mshta.exe",
