Fix string errors and tag errors

shashank-elastic · shashank-elastic · commit b4da050d9581 · 2025-12-08T18:16:28.000+05:30
diff --git a/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml b/rules/cross-platform/discovery_web_server_local_file_inclusion_activity.toml
@@ -18,7 +18,7 @@ interval = "10m"
 language = "esql"
 license = "Elastic License v2"
 name = "Web Server Local File Inclusion Activity"
-note = """## Triage and analysis
+note = """ ## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
@@ -42,7 +42,7 @@ This rule surfaces successful GET requests containing directory traversal or dir
 
 ### Response and remediation
 
-- Immediately block the source IP at the reverse proxy/WAF and deploy deny rules for GET requests using ../../ or ..\..\ traversal or wrappers (php://, expect://, data://) that fetch /etc/passwd, /proc/self/environ, wp-config.php, web.config, or applicationhost.config.
+- Immediately block the source IP at the reverse proxy/WAF and deploy deny rules for GET requests using ../../ or ..\\..\\ traversal or wrappers (php://, expect://, data://) that fetch /etc/passwd, /proc/self/environ, wp-config.php, web.config, or applicationhost.config.
 - Configure the web server to return 403 for paths resolving to /proc, /etc, /var/log, /inetpub, applicationhost.config, and web.config and to reject wrapper schemes like php:// and expect://, then reload Nginx/Apache/IIS to apply.
 - Fix the vulnerable include logic by canonicalizing input with realpath, rejecting any .. segments or absolute paths, enforcing a whitelist of allowed files, and in PHP disabling allow_url_include/allow_url_fopen and setting open_basedir to a safe directory.
 - Rotate exposed secrets by changing database and API credentials from wp-config.php, connection strings and machine keys from web.config/applicationhost.config, and any tokens in /proc/self/environ, then invalidate active sessions and cache.
diff --git a/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml b/rules/linux/execution_suspicious_pod_or_container_creation_command_execution.toml
@@ -71,7 +71,7 @@ tags = [
     "Data Source: Auditd Manager",
     "Data Source: Crowdstrike",
     "Data Source: SentinelOne",
-    "Resource: Investigation Guide",
+    "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
diff --git a/rules/linux/persistence_web_server_unusual_command_execution.toml b/rules/linux/persistence_web_server_unusual_command_execution.toml
@@ -58,7 +58,7 @@ tags = [
   "Use Case: Threat Detection",
   "Tactic: Persistence",
   "Data Source: Elastic Defend",
-  "Resource: Investigation Guide",
+  "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"

Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ tags = [`
`71`	`71`	`"Data Source: Auditd Manager",`
`72`	`72`	`"Data Source: Crowdstrike",`
`73`	`73`	`"Data Source: SentinelOne",`
`74`		`- "Resource: Investigation Guide",`
	`74`	`+ "Resources: Investigation Guide",`
`75`	`75`	`]`
`76`	`76`	`timestamp_override = "event.ingested"`
`77`	`77`	`type = "eql"`
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ tags = [`
`58`	`58`	`"Use Case: Threat Detection",`
`59`	`59`	`"Tactic: Persistence",`
`60`	`60`	`"Data Source: Elastic Defend",`
`61`		`- "Resource: Investigation Guide",`
	`61`	`+ "Resources: Investigation Guide",`
`62`	`62`	`]`
`63`	`63`	`timestamp_override = "event.ingested"`
`64`	`64`	`type = "new_terms"`