Update command_and_control_frequent_egress_netcon_from_sus_executable.toml

Aegrah · web-flow · commit 9f0718a5088b · 2025-02-21T16:07:41.000+01:00
diff --git a/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml b/rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml
@@ -13,7 +13,8 @@ This rule detects a high number of egress network connections from an unusual ex
 This could indicate a command and control (C2) communication attempt, a brute force attack via a malware
 infection or other malicious activity.
 """
-from = "now-9m"
+from = "now-61m"
+interval = "1h"
 language = "esql"
 license = "Elastic License v2"
 name = "High Number of Egress Network Connections from Unusual Executable"
@@ -56,7 +57,8 @@ timestamp_override = "event.ingested"
 type = "esql"
 query = '''
 from logs-endpoint.events.network-*
-| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, destination.ip, process.entity_id, agent.id
+| keep @timestamp, host.os.type, event.type, event.action, process.name, process.executable, destination.ip, agent.id
+| where @timestamp > now() - 1 hours
 | where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and (
      (
        process.executable like "/tmp/*" or
@@ -76,7 +78,7 @@ from logs-endpoint.events.network-*
      process.executable like "/tmp/.mount*" or
      process.executable like "/tmp/go-build*"
    )
-| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, process.entity_id
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable
 | where agent_count == 1 and cc > 15
 | sort cc asc
 | limit 100
