[Rule Tuning] Linux User Added to Privileged Group (#4206)

(cherry picked from commit b0bba39)

Author: Aegrah

rules/linux/persistence_linux_user_added_to_privileged_group.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/02/13"
 integration = ["endpoint", "auditd_manager"]
 maturity = "production"
-updated_date = "2024/09/23"
+updated_date = "2024/10/24"
 
 [transform]
 [[transform.osquery]]
@@ -120,35 +120,31 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
  and process.args in (
   "root", "admin", "wheel", "staff", "sudo","disk", "video", "shadow", "lxc", "lxd"
 ) and
 (
   process.name in ("usermod", "adduser") or
-  process.name == "gpasswd" and 
-  process.args in ("-a", "--add", "-M", "--members") 
+  (process.name == "gpasswd" and process.args in ("-a", "--add", "-M", "--members")) 
 )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1136"
 name = "Create Account"
 reference = "https://attack.mitre.org/techniques/T1136/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1136.001"
 name = "Local Account"
 reference = "https://attack.mitre.org/techniques/T1136/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-