[Rule Tuning] Linux DR Tuning - 4

Author: Aegrah

rules/linux/command_and_control_frequent_egress_netcon_from_sus_executable.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/02/20"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/09/02"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -92,7 +92,8 @@ tags = [
 timestamp_override = "event.ingested"
 type = "esql"
 query = '''
-from logs-endpoint.events.network-*
+from logs-endpoint.events.network-* metadata _id, _index, _version
+| mv_expand event.action 
 | where
     @timestamp > now() - 1h and
     host.os.type == "linux" and
@@ -134,12 +135,15 @@ from logs-endpoint.events.network-*
     process.executable,
     destination.ip,
     agent.id,
-    host.name
+    host.name,
+    Esql.*
 | stats
     Esql.event_count = count(),
     Esql.agent_id_count_distinct = count_distinct(agent.id),
     Esql.host_name_values = values(host.name),
-    Esql.agent_id_values = values(agent.id)
+    Esql.agent_id_values = values(agent.id),
+    Esql.event_dataset_values = values(event.dataset),
+    Esql.data_stream_namespace_values = values(data_stream.namespace)
     by process.executable
 | where
     Esql.agent_id_count_distinct == 1 and

rules/linux/defense_evasion_acl_modification_via_setfacl.toml

@@ -2,11 +2,15 @@
 creation_date = "2024/08/23"
 integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
-description = "This rule detects Linux Access Control List (ACL) modification via the setfacl command.\n"
+description = """
+This rule detects Linux Access Control List (ACL) modification via the setfacl command. Attackers may
+use the setfacl utility to modify file and directory permissions in order to evade detection and maintain
+persistence on a compromised system.
+"""
 from = "now-9m"
 index = [
     "auditbeat-*",
@@ -72,34 +76,36 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 process.name == "setfacl" and not (
+  ?process.parent.executable in (
+    "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/dirsrv/ds_systemd_ask_password_acl", "/usr/lib/systemd/systemd-udevd",
+    "/usr/bin/udevadm", "/usr/sbin/ds_systemd_ask_password_acl", "/usr/bin/su", "/bin/su"
+  ) or
   process.command_line == "/bin/setfacl --restore=-" or
   process.args == "/var/log/journal/" or
-  process.parent.name in ("stats.pl", "perl", "find") or
-  process.parent.command_line like~ "/bin/sh -c *ansible*"
+  ?process.parent.name in ("stats.pl", "perl", "find") or
+  ?process.parent.command_line like~ "*ansible*" or
+  ?process.parent.args == "/opt/audit-log-acl.sh"
 )
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1222"
 name = "File and Directory Permissions Modification"
 reference = "https://attack.mitre.org/techniques/T1222/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1222.002"
 name = "Linux and Mac File and Directory Permissions Modification"
 reference = "https://attack.mitre.org/techniques/T1222/002/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/08/28"
 integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -54,7 +54,7 @@ Auditd is a critical Linux service responsible for system auditing and logging,
 - Apply any necessary security patches or updates to the affected system to address vulnerabilities that may have been exploited by the adversary.
 - Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected.
 - Implement enhanced monitoring and alerting for similar activities across the network to detect and respond to future attempts to disable critical security services."""
-risk_score = 21
+risk_score = 47
 rule_id = "6a058ed6-4e9f-49f3-8f8e-f32165ae7ebf"
 setup = """## Setup
 
@@ -81,7 +81,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",
@@ -95,33 +95,31 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and (
   (process.name == "service" and process.args == "stop") or
   (process.name == "chkconfig" and process.args == "off") or
-  (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
+  (process.name == "update-rc.d" and process.args in ("remove", "disable")) or
+  (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask"))
 ) and
 process.args in ("auditd", "auditd.service") and 
-not process.parent.name == "auditd.prerm"
+not ?process.parent.name == "auditd.prerm"
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/02/22"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -51,7 +51,7 @@ Firewalls like IPTables on Linux systems are crucial for controlling network tra
 - Implement additional monitoring and alerting for similar activities across the network to detect and respond to future attempts to disable firewall services promptly.
 - Review and update firewall policies and configurations to enhance security measures and prevent similar defense evasion tactics in the future."""
 references = ["https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security"]
-risk_score = 21
+risk_score = 47
 rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f"
 setup = """## Setup
 
@@ -78,7 +78,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",
@@ -91,43 +91,43 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start") and
-  (
+(
    /* disable FW */
-   (
-     (process.name == "ufw" and process.args == "disable") or
-     (process.name == "iptables" and process.args in ("-F", "--flush", "-X", "--delete-chain") and process.args_count == 2) or
-     (process.name in ("iptables", "ip6tables") and process.parent.args == "force-stop")
-   ) or
+  (
+    (process.name == "ufw" and process.args == "disable") or
+    (process.name == "iptables" and process.args in ("-F", "--flush", "-X", "--delete-chain") and process.args_count == 2) or
+    (process.name in ("iptables", "ip6tables") and process.parent.args == "force-stop")
+  ) or
 
    /* stop FW service */
-   (
-     ((process.name == "service" and process.args == "stop") or
-       (process.name == "chkconfig" and process.args == "off") or
-       (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))) and
+  (
+    (
+      (process.name == "service" and process.args == "stop") or
+      (process.name == "chkconfig" and process.args == "off") or
+      (process.name == "update-rc.d" and process.args in ("remove", "disable")) or
+      (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask"))
+    ) and
     process.args in ("firewalld", "ip6tables", "iptables", "firewalld.service", "ip6tables.service", "iptables.service")
-    )
   )
+)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1562"
 name = "Impair Defenses"
 reference = "https://attack.mitre.org/techniques/T1562/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1562.001"
 name = "Disable or Modify Tools"
 reference = "https://attack.mitre.org/techniques/T1562/001/"
 
-
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-

rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml

@@ -2,13 +2,13 @@
 creation_date = "2020/04/27"
 integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/09/29"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
 description = """
-Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade
-detection by security controls.
+Syslog is a critical component in Linux environments, responsible for logging system events and activities. Adversaries
+may attempt to disable the syslog service to disrupt event logging and evade detection by security controls.
 """
 from = "now-9m"
 index = [
@@ -110,11 +110,14 @@ tags = [
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-process where host.os.type == "linux" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
- ( (process.name == "service" and process.args == "stop") or
-   (process.name == "chkconfig" and process.args == "off") or
-   (process.name == "systemctl" and process.args in ("disable", "stop", "kill"))
- ) and process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") and
+process where host.os.type == "linux" and event.type == "start" and
+event.action in ("exec", "exec_event", "start", "ProcessRollup2") and (
+  (process.name == "service" and process.args == "stop") or
+  (process.name == "chkconfig" and process.args == "off") or
+  (process.name == "update-rc.d" and process.args in ("remove", "disable")) or
+  (process.name == "systemctl" and process.args in ("disable", "stop", "kill", "mask"))
+) and
+process.args in ("syslog", "rsyslog", "syslog-ng", "syslog.service", "rsyslog.service", "syslog-ng.service") and
 not (
   process.parent.name == "rsyslog-rotate" or
   process.args == "HUP"

rules/linux/defense_evasion_authorized_keys_file_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/02/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/05/15"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -96,7 +96,8 @@ not (
   process.executable in (
     "/usr/bin/google_guest_agent", "/usr/bin/dockerd", "/bin/dockerd", "/usr/bin/containerd"
   ) or
-  process.executable like~ "/nix/store/*"
+  process.executable like~ "/nix/store/*" or
+  file.path like~ ("*backup*", "*ansible*", "*puppet*")
 )
 '''
 

rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml

@@ -2,11 +2,15 @@
 creation_date = "2020/04/17"
 integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
-description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls."
+description = """
+Base16 and Base32 are encoding schemes that convert binary data into text, making it easier to transmit and store. This rule
+monitors for Base16 or Base32 encoding and decoding activity on Linux systems. Attackers may use these encoding schemes to
+obfuscate malicious payloads, evade detection, and facilitate data exfiltration. 
+"""
 false_positives = [
     """
     Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be
@@ -60,7 +64,7 @@ Base16 and Base32 are encoding schemes used to convert binary data into text, fa
 - Restore any affected files or systems from known good backups to ensure system integrity and data accuracy.
 - Update and patch the affected system to close any vulnerabilities that may have been exploited by the adversary.
 - Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""
-risk_score = 21
+risk_score = 47
 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795"
 setup = """## Setup
 
@@ -99,7 +103,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
 - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
 - For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
 """
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",
@@ -114,17 +118,16 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
- event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
- process.name in ("base16", "base32", "base32plain", "base32hex") and
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
+process.name in ("base16", "base32", "base32plain", "base32hex") and
 not process.args in ("--help", "--version")
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1027"
 name = "Obfuscated Files or Information"
@@ -135,9 +138,7 @@ id = "T1140"
 name = "Deobfuscate/Decode Files or Information"
 reference = "https://attack.mitre.org/techniques/T1140/"
 
-
 [rule.threat.tactic]
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
-