[Rule Tuning] Linux DR Tuning - 8

[Aegrah]

PR Summary: Linux Exfiltration, Impact, Initial Access, and Lateral Movement Rule Enhancements

---

Why

This PR updates and strengthens a wide range of Linux detection rules to:

• Improve detection of modern exfiltration, impact, initial access, and lateral movement techniques.
• Increase risk and severity ratings for high-impact behaviors.
• Expand integration and data source support (SentinelOne, Crowdstrike, etc.).
• Reduce false positives and improve triage guidance.
• Align rule logic and metadata with current best practices and threat research.

---

What Changed

General Improvements

• Severity and Risk Score Increases: Many rules now have higher severity (e.g., "low" → "medium"/"high") and risk scores (e.g., 21 → 47/73) to better reflect the impact of detected behaviors.
• Expanded Integrations: Added or updated support for SentinelOne, Crowdstrike, and more.
• Broader Data Sources: Rules now ingest from more indices, improving coverage.
• Query Logic Enhancements:
  • Broader event.action and event.type matching.
  • More robust process argument/path matching.
  • Additional exclusions for known benign processes and parent/child relationships.
  • More precise parent/child process logic and new_terms field tuning.
• Triage/Investigation Guides: Many rules now include or update detailed triage, false positive, and response sections.
• Shorter History Windows: Most new_terms rules now use a 5-day window (was 7d/10d).
• Rule Metadata: Updated rule names, descriptions, tags, and setup instructions for clarity and accuracy.

Notable Rule-Specific Changes

• Exfiltration via Curl, Split, File Transfer Utilities:
  • Added SentinelOne integration and index support.
  • More exclusions for benign parent processes.
  • Increased risk and severity for data splitting and file transfer rules.
  • File transfer utility rule now focuses on unusual parent processes and directories.
• Impact:
  • Data encryption via OpenSSL: new triage guide, more exclusions for benign automation.
  • ESXi process kill: risk_score 47 → 73, severity medium → high, new triage guide.
  • Memory swap modification: risk_score 21 → 47, severity low → medium, more parent process exclusions.
  • Process kill threshold: now includes kill/killall, threshold increased, field now agent.id.
  • Ransomware note detection: more process/executable exclusions.
• Initial Access:
  • SSH authentication by new key/IP/user: new_terms window now 5d (was 10d).
• Lateral Movement:
  • Kubeconfig file activity: more process/executable exclusions.
  • Remote file creation: new_terms field now agent.id, window 5d.
  • SSH worm download: renamed to "Potential THC Tool Downloaded", risk_score 47 → 73, severity medium → high, broader URL matching.
  • SSH process in container: marked as deprecated, new triage guide.
  • Telnet network activity: now matches on more event.actions.
  • Unusual remote file creation: new_terms field now agent.id, window 5d, more ansible/automation exclusions.

---

Behavioral Impact

• Improved Detection: Higher severity/risk and broader coverage mean more actionable alerts for high-impact behaviors (exfiltration, ransomware, lateral movement, etc.).
• Reduced False Positives: More granular exclusions for known benign processes, parent/child relationships, and command-line patterns.
• Better Triage: Enhanced investigation and response notes help analysts quickly assess and respond to alerts.
• Wider Integration: Organizations using SentinelOne, Crowdstrike, and other integrations will see improved detection fidelity.

---

Risks & Edge Cases

• Potential for Increased Alert Volume: Higher severity/risk and broader matching may increase alert counts, especially in environments with many legitimate admin/developer activities.
• False Positives: Despite new exclusions, some environments may still see noise from custom scripts, automation, or rare tools. Review and tune as needed.
• Integration Dependencies: Some rules now require data from new integrations (e.g., SentinelOne, Crowdstrike). Ensure these are properly configured.
• Shorter History Windows: Reducing new_terms windows may miss rare events but will reduce noise from long-term benign changes.

---

Rollout Notes

• Review Integration Coverage: Ensure all referenced integrations and indices are available and properly configured in your environment.
• Tune Exclusions: Review new exclusions and add environment-specific ones as needed to minimize false positives.
• Monitor Alert Volume: After rollout, monitor for changes in alert volume and adjust rule thresholds or exclusions if necessary.
• Update Playbooks: Update SOC/IR playbooks to leverage new triage and response guidance included in the rules.
• Test in Staging: If possible, test these rule changes in a staging environment before production rollout.

[github-actions]

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

• Detailed description of the suggested changes.
• Provide example JSON data or screenshots.
• Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
• Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
• Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
• Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
• Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
• Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
• Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
• Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
• Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
• Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

• updated_date matches the date of tuning PR merged.
• min_stack_version should support the widest stack versions.
• name and description should be descriptive and not include typos.
• query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

• Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
• Ensure that the tuned rule has a low false positive rate.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Connection to Internal Network via Telnet (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Successful SSH Authentication from Unusual SSH Public Key (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential THC Tool Downloaded (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Remote File Creation in World Writeable Directory (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Successful SSH Authentication from Unusual User (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Successful SSH Authentication from Unusual IP Address (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - SSH Process Launched From Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Memory Swap Modification (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Termination of ESXI Process (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ High Number of Process Terminations (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Malware-Driven SSH Brute Force Attempt (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Transfer Utility Launched from Unusual Parent (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubeconfig File Creation or Modification (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Data Exfiltration Through Curl (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Ransomware Note Creation Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Connection to External Network via Telnet (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Data Splitting Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Remote File Creation (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Data Encryption via OpenSSL Utility (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Connection to Internal Network via Telnet (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Successful SSH Authentication from Unusual SSH Public Key (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential THC Tool Downloaded (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Remote File Creation in World Writeable Directory (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Successful SSH Authentication from Unusual User (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Successful SSH Authentication from Unusual IP Address (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - SSH Process Launched From Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Memory Swap Modification (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Termination of ESXI Process (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ High Number of Process Terminations (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Malware-Driven SSH Brute Force Attempt (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Transfer Utility Launched from Unusual Parent (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubeconfig File Creation or Modification (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Data Exfiltration Through Curl (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Ransomware Note Creation Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Connection to External Network via Telnet (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Data Splitting Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Remote File Creation (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Data Encryption via OpenSSL Utility (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Connection to Internal Network via Telnet (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Successful SSH Authentication from Unusual SSH Public Key (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential THC Tool Downloaded (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Remote File Creation in World Writeable Directory (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Successful SSH Authentication from Unusual User (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Successful SSH Authentication from Unusual IP Address (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - SSH Process Launched From Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Memory Swap Modification (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Termination of ESXI Process (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ High Number of Process Terminations (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Malware-Driven SSH Brute Force Attempt (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Transfer Utility Launched from Unusual Parent (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubeconfig File Creation or Modification (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Data Exfiltration Through Curl (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Ransomware Note Creation Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Connection to External Network via Telnet (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Data Splitting Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Remote File Creation (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Data Encryption via OpenSSL Utility (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Connection to Internal Network via Telnet (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Successful SSH Authentication from Unusual SSH Public Key (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential THC Tool Downloaded (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Remote File Creation in World Writeable Directory (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Successful SSH Authentication from Unusual User (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Successful SSH Authentication from Unusual IP Address (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - SSH Process Launched From Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Memory Swap Modification (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Termination of ESXI Process (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ High Number of Process Terminations (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Malware-Driven SSH Brute Force Attempt (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File Transfer Utility Launched from Unusual Parent (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubeconfig File Creation or Modification (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Data Exfiltration Through Curl (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Ransomware Note Creation Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Connection to External Network via Telnet (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Data Splitting Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Remote File Creation (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Suspicious Data Encryption via OpenSSL Utility (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta