Merge pull request #3349 from 0xC0FFEEEE/curl_proxy_fix

0xC0FFEEEE - Improve Linux Proxy Socks Curl Detection

Author: patel-bhavin

detections/endpoint/linux_proxy_socks_curl.yml

@@ -1,8 +1,8 @@
 name: Linux Proxy Socks Curl
 id: bd596c22-ad1e-44fc-b242-817253ce8b08
-version: 6
-date: '2024-11-13'
-author: Michael Haag, Splunk
+version: 7
+date: '2025-02-19'
+author: Michael Haag, Splunk, 0xC0FFEEEE, Github Community
 status: production
 type: TTP
 description: The following analytic detects the use of the `curl` command with proxy-related
@@ -21,7 +21,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   "*--preproxy *", "--proxy*") by Processes.dest Processes.user Processes.parent_process_name
   Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
   | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `linux_proxy_socks_curl_filter`'
+  | where match(process, "-x\s") OR match(process, "(?i)socks\d\w?:\/\/|--(pre)?proxy") | `linux_proxy_socks_curl_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,