Update process name conditions for suspicious execution

Aegrah · web-flow · commit 6cedfe8c9784 · 2025-12-03T15:14:57.000+01:00
diff --git a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml
@@ -46,7 +46,7 @@ type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and (
   (process.name == "kubectl" and process.args == "run" and process.args == "--restart=Never" and process.args == "--") or
-  (process.name == "docker" and process.args == "run")
+  (process.name in ("docker", "nerdctl", "ctl") and process.args == "run")
 ) and 
 process.args in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
 process.command_line like~ (
