[Rule Tuning] Misc. Linux ES|QL Rules (#5050)

* [Rule Tuning] Misc. Linux ES|QL Rules

* update date bump

* ++

* Update persistence_web_server_sus_child_spawned.toml

* Update working directory conditions in TOML file

(cherry picked from commit ef7ff52)

Author: Aegrah

rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/02/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/02"
 
 [rule]
 author = ["Elastic"]
@@ -91,7 +91,6 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "esql"
-
 query = '''
 from logs-endpoint.events.network-*
 | where
@@ -103,8 +102,17 @@ from logs-endpoint.events.network-*
         process.executable like "/tmp/*" or
         process.executable like "/var/tmp/*" or
         process.executable like "/dev/shm/*" or
-        process.name rlike ".*"
-    ) and not (
+        process.executable like "/var/log/*" or
+        process.executable like "/sys/*" or
+        process.executable like "/media/*" or
+        process.executable like "/proc/*" or
+        process.executable like "/var/backups/*" or
+        process.executable like "/var/mail/*" or
+        process.executable like "/var/spool/*" or
+        process.executable like "./*" or
+        process.name like ".*"
+    ) and
+    not (
         cidr_match(destination.ip,
             "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12",
             "192.0.0.0/24", "192.0.0.29/32", "192.0.0.8/32", "192.0.0.9/32",
@@ -113,7 +121,6 @@ from logs-endpoint.events.network-*
             "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15",
             "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8"
         ) or
-        process.executable like "/nix/store/*" or
         process.executable like "/tmp/newroot/*" or
         process.executable like "/tmp/.mount*" or
         process.executable like "/tmp/go-build*"
@@ -141,17 +148,15 @@ from logs-endpoint.events.network-*
 | limit 100
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1071"
 name = "Application Layer Protocol"
 reference = "https://attack.mitre.org/techniques/T1071/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-

rules/linux/discovery_port_scanning_activity_from_compromised_host.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/03/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/02"
 
 [rule]
 author = ["Elastic"]
@@ -93,14 +93,27 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "esql"
-
 query = '''
 from logs-endpoint.events.network-*
 | where
     @timestamp > now() - 1h and
     host.os.type == "linux" and
     event.type == "start" and
-    event.action == "connection_attempted"
+    event.action == "connection_attempted" and
+    not (
+      cidr_match(destination.ip, "127.0.0.0/8", "::1", "FE80::/10", "FF00::/8") or
+      process.executable in (
+        "/opt/dbtk/bin/jsvc", "/usr/lib/dotnet/dotnet", "/usr/share/elasticsearch/jdk/bin/java", "/usr/sbin/haproxy",
+        "/usr/bin/java", "/opt/kaspersky/kesl/libexec/kesl", "/usr/bin/dotnet", "/opt/java/openjdk/bin/java"
+      ) or
+      process.executable like "/var/opt/kaspersky/kesl/*kesl" or
+      process.executable like "/usr/lib/jvm/*/java" or
+      process.executable like "/opt/google/chrome*" or
+      process.executable like "/var/lib/docker/*/java" or
+      process.executable like "/usr/lib64/jvm/*/java" or
+      process.executable like "/snap/*" or
+      process.executable like "/home/*/.local/share/JetBrains/*"
+    )
 | keep
     @timestamp,
     host.os.type,
@@ -125,17 +138,15 @@ from logs-endpoint.events.network-*
 | limit 100
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1046"
 name = "Network Service Discovery"
 reference = "https://attack.mitre.org/techniques/T1046/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
-

rules/linux/discovery_subnet_scanning_activity_from_compromised_host.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/03/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/02"
 
 [rule]
 author = ["Elastic"]
@@ -92,15 +92,23 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "esql"
-
 query = '''
 from logs-endpoint.events.network-*
 | keep @timestamp, host.os.type, event.type, event.action, process.executable, destination.ip, agent.id, host.name
 | where
     @timestamp > now() - 1 hours and
     host.os.type == "linux" and
     event.type == "start" and
-    event.action == "connection_attempted"
+    event.action == "connection_attempted" and
+    not (
+      process.executable in ("/usr/local/bin/prometheus", "/app/extra/chrome") or
+      process.executable like "/usr/local/prometheus/*/prometheus" or
+      process.executable like "/usr/share/elastic-agent/*" or
+      process.executable like "/var/lib/docker/overlay*connectord" or
+      process.executable like "/opt/rumble/bin/rumble-agent*" or
+      process.executable like "/opt/gitlab/*" or
+      process.executable like "/opt/google/chrome/chrome*"
+    )
 | stats
     Esql.event_count = count(),
     Esql.destination_ip_count_distinct = count_distinct(destination.ip),
@@ -115,17 +123,15 @@ from logs-endpoint.events.network-*
 | limit 100
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1046"
 name = "Network Service Discovery"
 reference = "https://attack.mitre.org/techniques/T1046/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
-

rules/linux/exfiltration_unusual_file_transfer_utility_launched.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/02/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/02"
 
 [rule]
 author = ["Elastic"]
@@ -91,10 +91,9 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "esql"
-
 query = '''
 from logs-endpoint.events.process-*
-| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, process.parent.executable, process.command_line, agent.id, host.name
+| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, process.parent.executable, agent.id, host.name
 | where
     @timestamp > now() - 1 hours and
     host.os.type == "linux" and
@@ -106,27 +105,26 @@ from logs-endpoint.events.process-*
     Esql.agent_id_count_distinct = count_distinct(agent.id),
     Esql.host_name_values = values(host.name),
     Esql.agent_id_values = values(agent.id)
-  by process.executable, process.parent.executable, process.command_line
+  by process.executable, process.parent.executable
 | where
     Esql.agent_id_count_distinct == 1 and
     Esql.event_count < 5
 | sort Esql.event_count asc
 | limit 100
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
 [rule.threat.tactic]
 id = "TA0010"
 name = "Exfiltration"
 reference = "https://attack.mitre.org/tactics/TA0010/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-

rules/linux/impact_potential_bruteforce_malware_infection.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/02/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/09/02"
 
 [rule]
 author = ["Elastic"]
@@ -95,7 +95,6 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "esql"
-
 query = '''
 from logs-endpoint.events.network-*
 | keep @timestamp, host.os.type, event.type, event.action, destination.port, process.executable, destination.ip, agent.id, host.name
@@ -105,14 +104,21 @@ from logs-endpoint.events.network-*
     event.type == "start" and
     event.action == "connection_attempted" and
     destination.port in (22, 222, 2222, 10022, 2022, 2200, 62612, 8022) and
-    not cidr_match(
+    not (
+      cidr_match(
         destination.ip,
         "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12",
         "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32",
         "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
         "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24",
         "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15",
         "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8"
+      ) or
+      process.executable in (
+        "/usr/bin/rclone", "/usr/bin/sss_ssh_knownhostsproxy", "/usr/sbin/sshd", "/usr/bin/ssh",
+        "/usr/local/bin/php", "/usr/sbin/apache2", "/usr/sbin/nginx", "/usr/local/bin/argocd-repo-server"
+      ) or
+      process.executable like "/usr/local/efax/*"
     )
 | stats
     Esql.event_count = count(),
@@ -127,46 +133,46 @@ from logs-endpoint.events.network-*
 | limit 100
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1496"
 name = "Resource Hijacking"
 reference = "https://attack.mitre.org/techniques/T1496/"
 
-
 [rule.threat.tactic]
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1059"
 name = "Command and Scripting Interpreter"
 reference = "https://attack.mitre.org/techniques/T1059/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1059.004"
 name = "Unix Shell"
 reference = "https://attack.mitre.org/techniques/T1059/004/"
 
-
-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1071"
 name = "Application Layer Protocol"
 reference = "https://attack.mitre.org/techniques/T1071/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-