[Rule Tuning] Suspicious React Server Child Process (#5419)

Aegrah · web-flow · commit bd9b1f222d57 · 2025-12-08T12:50:41.000+01:00
diff --git a/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml b/rules/cross-platform/initial_access_execution_susp_react_serv_child.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/12/05"
+updated_date = "2025/12/08"
 
 [rule]
 author = ["Elastic"]
@@ -77,7 +77,7 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where event.type == "start" and event.action != "fork" and (
+process where event.type == "start" and event.action in ("exec", "executed", "start", "process_started") and (
     process.name in (
       "sh", "bash", "zsh", "curl", "wget", "id", "whoami", "uname", "cmd.exe", "cat", "powershell.exe", "java", "rundll32.exe", "wget.exe", "certutil.exe",
       "nc", "ncat", "netcat", "nc.openbsd", "nc.traditional", "socat", "busybox", "mkfifo", "nohup", "setsid", "xterm"
