add feedback changes

Author: Mikaayenson

rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml

@@ -56,9 +56,9 @@ references = [
     "https://atlas.mitre.org/techniques/AML.T0086",
     "https://www.elastic.co/security-labs/elastic-advances-llm-security",
 ]
-risk_score = 73
+risk_score = 47
 rule_id = "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
-severity = "high"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: macOS",
@@ -98,7 +98,7 @@ network where host.os.type in ("macos", "windows") and
     "npx", "pnpm", "yarn", "bunx"
   ) and
 
-  // Suspicious TLDs
+  // Suspicious TLDs 
   (
     // Windows DNS events
     (host.os.type == "windows" and dns.question.name != null and
@@ -107,6 +107,9 @@ network where host.os.type in ("macos", "windows") and
     // macOS network events
     (host.os.type == "macos" and destination.domain != null and
      destination.domain regex """.*\.(top|buzz|xyz|rest|ml|cf|gq|ga|onion|monster|cyou|quest|cc|bar|cfd|click|cam|surf|tk|shop|club|icu|pw|ws|online|fun|life|boats|store|hair|skin|motorcycles|christmas|lol|makeup|mom|bond|beauty|biz|live|work|zip|country|accountant|date|party|science|loan|win|men|faith|review|racing|download|host)""")
+
+    // Linux DNS events
+    // Revist when available
   )
 '''
 

rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml

@@ -10,7 +10,7 @@ description = """
 Detects when GenAI tools access sensitive files such as cloud credentials, SSH keys, browser password databases, or
 shell configurations. Attackers leverage GenAI agents to systematically locate and exfiltrate credentials, API keys, and
 tokens. Access to credential stores (.aws/credentials, .ssh/id_*) suggests harvesting, while writes to shell configs
-(.bashrc, .zshrc) indicate persistence attempts.
+(.bashrc, .zshrc) indicate persistence attempts. Note: On linux only creation events are available. Access events are not yet implemented.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.file*"]

rules/cross-platform/defense_evasion_genai_config_modification.toml

@@ -57,7 +57,6 @@ rule_id = "590fc62d-7386-4c75-92b0-af4517018da1"
 severity = "medium"
 tags = [
     "Domain: Endpoint",
-    "OS: Linux",
     "OS: macOS",
     "OS: Windows",
     "Use Case: Threat Detection",

rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml

@@ -146,7 +146,12 @@ sequence by process.entity_id with maxspan=30s
   [network where event.type == "start"
      and event.action == "connection_attempted"
      and destination.ip != null
-     and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.168.0.0/16", "::1", "FE80::/10", "FF00::/8")
+     and not cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29",
+                       "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+                       "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10",
+                       "192.175.48.0/24","198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10",
+                       "FF00::/8")
+     
   ] by process.entity_id
 '''