[Rule Tuning] Q2 Linux DR Tuning - BBR (#4171)

Aegrah · github-actions[bot] · commit 9fa4ac1a511c · 2024-10-18T14:49:53.000Z
* [Rule Tuning] Q2 Linux DR Tuning - BBR * Update discovery_kernel_module_enumeration_via_proc.toml * Update discovery_linux_modprobe_enumeration.toml * Update discovery_linux_sysctl_enumeration.toml * Update discovery_potential_memory_seeking_activity.toml * Update discovery_potential_memory_seeking_activity.toml (cherry picked from commit 592ad0f)
diff --git a/rules_building_block/discovery_capnetraw_capability.toml b/rules_building_block/discovery_capnetraw_capability.toml
@@ -5,7 +5,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0"
 min_stack_version = "8.11.0"
-updated_date = "2024/09/01"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
@@ -27,7 +27,6 @@ risk_score = 21
 rule_id = "e28b8093-833b-4eda-b877-0873d134cf3c"
 setup = """## Setup
 
-
 This rule requires data coming in from Elastic Defend.
 
 ### Elastic Defend Integration Setup
@@ -52,7 +51,14 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"]
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Discovery",
+    "Data Source: Elastic Defend",
+    "Rule Type: BBR"
+]
 timestamp_override = "event.ingested"
 type = "new_terms"
 query = '''
@@ -76,7 +82,7 @@ reference = "https://attack.mitre.org/tactics/TA0007/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "user.id", "process.executable"]
+value = ["process.executable"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/04/12"
 integration = ["auditd_manager"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
@@ -54,31 +54,28 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
-
 query = '''
 host.os.type:linux and event.category:file and event.action:"opened-file" and file.path:"/proc/modules" and
-not process.name:(grep or python* or chef-client)
+not process.name:(python* or chef-client)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1082"
 name = "System Information Discovery"
 reference = "https://attack.mitre.org/techniques/T1082/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "process.executable"]
+value = ["process.executable"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-7d"
-
-
+value = "now-14d"
diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/06/08"
 integration = ["auditd_manager"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
@@ -57,30 +57,28 @@ type = "new_terms"
 query = '''
 host.os.type:linux and event.category:file and event.action:"opened-file" and
 file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*) and not process.name:(
-  cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or grep or borg or auditbeat or lspci or
+  cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or borg or auditbeat or lspci or
   aide or modprobe or python*
 )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1082"
 name = "System Information Discovery"
 reference = "https://attack.mitre.org/techniques/T1082/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "process.executable"]
+value = ["process.executable"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-14d"
-
-
diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/06/08"
 integration = ["auditd_manager"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
@@ -57,29 +57,27 @@ type = "new_terms"
 query = '''
 host.os.type:linux and event.category:file and event.action:("opened-file" or "read-file" or "wrote-to-file") and
 file.path : ("/etc/sysctl.conf" or "/etc/sysctl.d" or /etc/sysctl.d/*) and not process.name:(
-  dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or grep or pool*
+  dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or pool*
 )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1082"
 name = "System Information Discovery"
 reference = "https://attack.mitre.org/techniques/T1082/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["host.id", "process.executable"]
+value = ["process.executable"]
+
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
 value = "now-14d"
-
-
diff --git a/rules_building_block/discovery_potential_memory_seeking_activity.toml b/rules_building_block/discovery_potential_memory_seeking_activity.toml
@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2024/02/01"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/10/18"
 
 [rule]
 author = ["Elastic"]
@@ -32,27 +32,33 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and (
-  (process.name == "tail" and process.args == "-c") or
+  (process.name == "tail" and process.args in ("-c", "--bytes")) or
   (process.name == "cmp" and process.args == "-i") or
   (process.name in ("hexdump", "xxd") and process.args == "-s") or
   (process.name == "dd" and process.args : ("skip*", "seek*"))
+) and not (
+  process.parent.args like ("/opt/error_monitor/error_monitor.sh", "printf*") or
+  process.parent.name in ("acme.sh", "dracut", "leapp") or
+  process.parent.executable like (
+    "/bin/cagefs_enter", "/opt/nessus_agent/sbin/nessus-service", "/usr/libexec/platform-python*",
+    "/usr/libexec/vdsm/vdsmd", "/usr/local/bin/docker-entrypoint.sh", "/usr/lib/module-init-tools/lsinitrd-quick"
+  ) or
+  process.parent.command_line like "sh*acme.sh*" or
+  process.args like "/var/tmp/dracut*"
 )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1057"
 name = "Process Discovery"
 reference = "https://attack.mitre.org/techniques/T1057/"
 
-
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
-
