Skip to content

[Rule Tuning] Linux DR Tuning - 9 #5508

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Aegrah wants to merge 10 commits into
base: main
Choose a base branch
from
Open

[Rule Tuning] Linux DR Tuning - 9 #5508

Aegrah wants to merge 10 commits into from

Conversation

@Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Dec 22, 2025
edited
Loading

PR 5508 Reviewer Summary

Why

This PR updates and refines a broad set of Linux persistence detection rules to:

  • Reduce false positives and operational noise.
  • Improve detection accuracy for real-world threats.
  • Expand coverage for new attack and system behaviors.
  • Provide clearer, actionable triage and investigation guidance.
  • Align rule metadata, severity, and risk scoring with current threat intelligence and operational feedback.

What Changed

  • Severity & Risk Score Adjustments

    • Many rules had their severity and/or risk_score lowered (e.g., from "medium" to "low", 47→21) to reduce alert fatigue.
    • Some rules (e.g., persistence_bpf_probe_write_user, persistence_linux_backdoor_user_creation) had severity/risk increased to highlight criticality.

  • Expanded Exclusions & Pattern Matching

    • Added more process, file path, and extension exclusions to reduce false positives from legitimate system, automation, and package management activity.
    • Switched many strict matches (:, in) to pattern-based (like, like~) for broader, more accurate detection.
    • Exclusions now cover more tools (e.g., podman, dnf5, buildah, ansible, puppet, chef, etc.), file types (e.g., .dpkg-new, .source), and benign system behaviors.

  • Query & Logic Improvements

    • Refined EQL/KQL queries for better context and accuracy.
    • Improved parent/child process logic and handling of temporary/automation files.
    • Updated new_terms windows (e.g., history_window_start from 7d/10d to 5d).

  • Metadata & Integration Updates

    • Updated integration and index lists (e.g., added/removed auditd_manager, crowdstrike, sentinel_one_cloud_funnel).
    • Clarified rule names and descriptions for accuracy and intent.

  • Triage/Investigation Guide Enhancements

    • Many rules now include or update a note section with detailed, AI-generated triage, false positive analysis, and response/remediation steps.
    • Added disclaimers to investigation guides, recommending local validation.

  • Rule-Specific Notables

    • persistence_apt_package_manager_execution: Lowered severity/risk, expanded process exclusions, improved query.
    • persistence_bpf_probe_write_user: Severity/risk increased to "high"/73.
    • persistence_credential_access_modify_ssh_binaries: Lowered severity/risk, renamed for clarity, expanded exclusions.
    • persistence_dpkg_package_installation_from_unusual_parent/persistence_dpkg_unusual_execution: Added/updated triage notes, adjusted risk/severity, refined new_terms window.
    • persistence_git_hook_ rules*: Lowered severity/risk, expanded exclusions, improved pattern matching.
    • persistence_kernel_driver_load_by_non_root_user/persistence_kernel_object_file_creation: Added/updated triage notes, expanded index/exclusion logic.
    • persistence_linux_backdoor_user_creation: Severity/risk increased to "high"/73, query now matches both short and long argument forms.
    • persistence_kde_autostart_modification: Renamed for clarity, improved exclusions, now only matches creation events.
    • persistence_insmod_kernel_module_load: Added crowdstrike integration, expanded indices, improved exclusions.
    • persistence_grub_configuration_creation/persistence_grub_makeconfig: Added exclusions for python/ansible automation, expanded parent process exclusions.
    • persistence_init_d_file_creation: Expanded exclusions, improved handling of benign automation/system processes.
    • persistence_kworker_file_creation: Expanded file path exclusions for benign kworker activity.
    • persistence_kubernetes_sensitive_file_activity: Improved handling of vim/vi temp files, expanded process exclusions.

Behavioral Impact

  • Reduced False Positives: More comprehensive exclusions and refined queries should significantly reduce noise from legitimate system and automation activity.
  • Improved Detection Quality: Adjusted severities and risk scores better align with real-world threat impact, helping SOCs prioritize.
  • Clearer Triage Guidance: Enhanced investigation notes provide analysts with actionable steps and context, improving response times and accuracy.
  • Broader Coverage: New and updated exclusions and logic account for a wider range of Linux distributions, tools, and operational scenarios.

Risks / Edge Cases

  • Potential for Missed Detections: Aggressive exclusions, especially for automation and package management tools, may inadvertently suppress some true positives if attackers abuse these tools.
  • Rule Downgrades: Lowering severity/risk on some rules may deprioritize alerts that could be significant in certain environments—review local risk appetite.
  • Rule Upgrades: Increasing severity/risk on others (e.g., bpf_probe_write_user, linux_backdoor_user_creation) may increase alert volume for rare but critical events.
  • Pattern Matching Changes: Switching from strict to pattern-based matching (like, like~) may have unforeseen effects on rule triggering in edge cases.

Rollout Notes

  • Review and Test: Before deploying to production, review all updated rules in a staging environment to ensure exclusions and logic match your operational context.
  • Update Playbooks: SOC/IR teams should update their playbooks to align with new triage/investigation notes and severity/risk changes.
  • Monitor Alert Volumes: Track alert volumes post-rollout to ensure that noise is reduced and critical detections are not missed.
  • Feedback Loop: Encourage feedback from analysts to further tune exclusions and triage guidance as needed.

@Aegrah Aegrah self-assigned this Dec 22, 2025
@Aegrah Aegrah added OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE labels Dec 22, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 22, 2025

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 22, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Renaming of OpenSSH Binaries (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ rc.local/rc.common File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Policy Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive Configuration File Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Extraction via CPIO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Object File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load via insmod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNF Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login via System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Added to Privileged Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System V Init Script Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Backdoor User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Spawned from Message-of-the-Day (MOTD) (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Pluggable Authentication Module (PAM) Source Download (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Boot File Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Creation in Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection Initiated by Suspicious SSHD Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Loadable Kernel Module Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution of rc.local Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ APT Package Manager Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Path File (pth) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Dracut Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ At Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetworkManager Dispatcher Script Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPM Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Bit Set for Potential Persistence Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ D-Bus Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Message-of-the-Day (MOTD) File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Backdoor Execution Through PAM_EXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual D-Bus Daemon Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Egress Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Group Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration Generation through Built-in Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious File Creation via Kworker (eql)
  • ❌ Shared Object Created by Previously Unknown Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Chkconfig Service Add (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load by non-root User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shadow File Modification by Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DPKG Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dracut Module Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ KDE AutoStart Script or Desktop File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Child Execution via Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Set via setcap Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module or Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OpenSSL Password Hash Generation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DPKG Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Setcap setuid/setgid Capability Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cron Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Aegrah
Aegrah commented Dec 23, 2025
View reviewed changes
@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Renaming of OpenSSH Binaries (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ rc.local/rc.common File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Policy Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive Configuration File Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Extraction via CPIO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Object File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load via insmod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNF Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login via System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Added to Privileged Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System V Init Script Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Backdoor User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Spawned from Message-of-the-Day (MOTD) (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Pluggable Authentication Module (PAM) Source Download (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Boot File Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Creation in Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection Initiated by Suspicious SSHD Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Loadable Kernel Module Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution of rc.local Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ APT Package Manager Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Path File (pth) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Dracut Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ At Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetworkManager Dispatcher Script Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPM Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Bit Set for Potential Persistence Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ D-Bus Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Message-of-the-Day (MOTD) File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Backdoor Execution Through PAM_EXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual D-Bus Daemon Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Egress Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Group Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration Generation through Built-in Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious File Creation via Kworker (eql)
  • ❌ Shared Object Created by Previously Unknown Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Chkconfig Service Add (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load by non-root User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shadow File Modification by Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DPKG Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dracut Module Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ KDE AutoStart Script or Desktop File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Child Execution via Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Set via setcap Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module or Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OpenSSL Password Hash Generation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DPKG Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Setcap setuid/setgid Capability Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cron Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Renaming of OpenSSH Binaries (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ rc.local/rc.common File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Policy Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive Configuration File Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Extraction via CPIO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Object File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load via insmod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNF Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login via System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Added to Privileged Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System V Init Script Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Backdoor User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Spawned from Message-of-the-Day (MOTD) (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Pluggable Authentication Module (PAM) Source Download (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Boot File Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Creation in Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection Initiated by Suspicious SSHD Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Loadable Kernel Module Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution of rc.local Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ APT Package Manager Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Path File (pth) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Dracut Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ At Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetworkManager Dispatcher Script Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPM Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Bit Set for Potential Persistence Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ D-Bus Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Message-of-the-Day (MOTD) File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Backdoor Execution Through PAM_EXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual D-Bus Daemon Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Egress Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Group Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration Generation through Built-in Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious File Creation via Kworker (eql)
  • ❌ Shared Object Created by Previously Unknown Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Chkconfig Service Add (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load by non-root User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shadow File Modification by Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DPKG Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dracut Module Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ KDE AutoStart Script or Desktop File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Child Execution via Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Set via setcap Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module or Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OpenSSL Password Hash Generation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DPKG Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Setcap setuid/setgid Capability Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cron Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Renaming of OpenSSH Binaries (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ rc.local/rc.common File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Policy Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive Configuration File Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Extraction via CPIO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Object File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load via insmod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNF Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login via System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Added to Privileged Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System V Init Script Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Backdoor User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Spawned from Message-of-the-Day (MOTD) (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Pluggable Authentication Module (PAM) Source Download (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Boot File Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Creation in Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection Initiated by Suspicious SSHD Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Loadable Kernel Module Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution of rc.local Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ APT Package Manager Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Path File (pth) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Dracut Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ At Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetworkManager Dispatcher Script Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPM Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Bit Set for Potential Persistence Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ D-Bus Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Message-of-the-Day (MOTD) File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Backdoor Execution Through PAM_EXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual D-Bus Daemon Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Egress Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Group Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration Generation through Built-in Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious File Creation via Kworker (eql)
  • ❌ Shared Object Created by Previously Unknown Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Chkconfig Service Add (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load by non-root User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shadow File Modification by Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DPKG Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dracut Module Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ KDE AutoStart Script or Desktop File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Child Execution via Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Set via setcap Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module or Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OpenSSL Password Hash Generation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DPKG Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Setcap setuid/setgid Capability Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cron Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Renaming of OpenSSH Binaries (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ rc.local/rc.common File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Policy Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive Configuration File Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Extraction via CPIO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Object File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load via insmod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNF Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login via System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Added to Privileged Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System V Init Script Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Backdoor User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Spawned from Message-of-the-Day (MOTD) (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Pluggable Authentication Module (PAM) Source Download (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Boot File Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Creation in Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection Initiated by Suspicious SSHD Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Loadable Kernel Module Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution of rc.local Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ APT Package Manager Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Path File (pth) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Dracut Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ At Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetworkManager Dispatcher Script Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPM Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Bit Set for Potential Persistence Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ D-Bus Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Message-of-the-Day (MOTD) File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Backdoor Execution Through PAM_EXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual D-Bus Daemon Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Egress Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Group Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration Generation through Built-in Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious File Creation via Kworker (eql)
  • ❌ Shared Object Created by Previously Unknown Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Chkconfig Service Add (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load by non-root User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shadow File Modification by Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DPKG Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dracut Module Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ KDE AutoStart Script or Desktop File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Child Execution via Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Set via setcap Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module or Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OpenSSL Password Hash Generation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DPKG Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Setcap setuid/setgid Capability Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cron Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Renaming of OpenSSH Binaries (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ rc.local/rc.common File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Policy Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive Configuration File Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Extraction via CPIO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Object File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load via insmod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNF Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login via System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Added to Privileged Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System V Init Script Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Backdoor User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Spawned from Message-of-the-Day (MOTD) (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Pluggable Authentication Module (PAM) Source Download (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Boot File Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Creation in Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection Initiated by Suspicious SSHD Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Loadable Kernel Module Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution of rc.local Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ APT Package Manager Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Path File (pth) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Dracut Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ At Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetworkManager Dispatcher Script Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPM Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Bit Set for Potential Persistence Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ D-Bus Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Message-of-the-Day (MOTD) File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Backdoor Execution Through PAM_EXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual D-Bus Daemon Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Egress Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Group Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration Generation through Built-in Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious File Creation via Kworker (eql)
  • ❌ Shared Object Created by Previously Unknown Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Chkconfig Service Add (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load by non-root User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shadow File Modification by Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DPKG Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dracut Module Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ KDE AutoStart Script or Desktop File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Child Execution via Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Set via setcap Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module or Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OpenSSL Password Hash Generation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DPKG Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Setcap setuid/setgid Capability Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cron Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Renaming of OpenSSH Binaries (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ rc.local/rc.common File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Policy Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive Configuration File Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Extraction via CPIO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Object File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load via insmod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNF Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login via System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Added to Privileged Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System V Init Script Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Backdoor User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Spawned from Message-of-the-Day (MOTD) (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Pluggable Authentication Module (PAM) Source Download (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Boot File Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Creation in Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection Initiated by Suspicious SSHD Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Loadable Kernel Module Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution of rc.local Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ APT Package Manager Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Path File (pth) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Dracut Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ At Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetworkManager Dispatcher Script Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPM Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Bit Set for Potential Persistence Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ D-Bus Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Message-of-the-Day (MOTD) File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Backdoor Execution Through PAM_EXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual D-Bus Daemon Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Egress Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Group Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration Generation through Built-in Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious File Creation via Kworker (eql)
  • ❌ Shared Object Created by Previously Unknown Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Chkconfig Service Add (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load by non-root User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shadow File Modification by Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DPKG Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dracut Module Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ KDE AutoStart Script or Desktop File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Child Execution via Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Set via setcap Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module or Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OpenSSL Password Hash Generation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DPKG Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Setcap setuid/setgid Capability Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cron Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Renaming of OpenSSH Binaries (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ rc.local/rc.common File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Policy Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive Configuration File Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Extraction via CPIO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Object File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load via insmod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNF Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login via System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Added to Privileged Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System V Init Script Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Backdoor User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Spawned from Message-of-the-Day (MOTD) (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Pluggable Authentication Module (PAM) Source Download (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Boot File Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Creation in Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection Initiated by Suspicious SSHD Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Loadable Kernel Module Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution of rc.local Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ APT Package Manager Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Path File (pth) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Dracut Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ At Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetworkManager Dispatcher Script Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPM Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Bit Set for Potential Persistence Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ D-Bus Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Message-of-the-Day (MOTD) File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Backdoor Execution Through PAM_EXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual D-Bus Daemon Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Egress Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Group Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration Generation through Built-in Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious File Creation via Kworker (eql)
  • ❌ Shared Object Created by Previously Unknown Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Chkconfig Service Add (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load by non-root User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shadow File Modification by Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DPKG Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dracut Module Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ KDE AutoStart Script or Desktop File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Child Execution via Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Set via setcap Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module or Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OpenSSL Password Hash Generation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DPKG Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Setcap setuid/setgid Capability Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cron Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Aegrah
Copy link
Contributor Author

Aegrah commented Dec 23, 2025

@copilot Summarize this entire pull request. Consider all commits, file diffs, and conversations. Overwrite the main summary comment with the summary you created. Also, use these instructions: “Generate a PR summary for reviewers. Include: Why (problem), What changed (bullets), Behavioral impact, Risk/edge cases, How to test, and Notes for rollout. Keep it concise and accurate; if unsure, say so.”

Copilot AI mentioned this pull request Dec 23, 2025
Closed
Copy link

Copilot AI commented Dec 23, 2025

@Aegrah I've opened a new pull request, #5513, to work on those changes. Once the pull request is ready, I'll request review from you.

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Renaming of OpenSSH Binaries (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ rc.local/rc.common File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Policy Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive Configuration File Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Extraction via CPIO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Object File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load via insmod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNF Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login via System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Added to Privileged Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System V Init Script Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Backdoor User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Spawned from Message-of-the-Day (MOTD) (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Pluggable Authentication Module (PAM) Source Download (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Boot File Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Creation in Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection Initiated by Suspicious SSHD Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Loadable Kernel Module Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution of rc.local Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ APT Package Manager Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Path File (pth) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Dracut Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ At Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetworkManager Dispatcher Script Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPM Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Bit Set for Potential Persistence Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ D-Bus Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Message-of-the-Day (MOTD) File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Backdoor Execution Through PAM_EXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual D-Bus Daemon Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Egress Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Group Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration Generation through Built-in Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious File Creation via Kworker (eql)
  • ❌ Shared Object Created by Previously Unknown Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Chkconfig Service Add (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load by non-root User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shadow File Modification by Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DPKG Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dracut Module Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ KDE AutoStart Script or Desktop File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Child Execution via Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Set via setcap Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module or Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OpenSSL Password Hash Generation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DPKG Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Setcap setuid/setgid Capability Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cron Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Renaming of OpenSSH Binaries (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ rc.local/rc.common File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Policy Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubernetes Sensitive Configuration File Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Extraction via CPIO (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Object File Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Module Load via insmod (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shell Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DNF Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Login via System User (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Added to Privileged Group (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ System V Init Script Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Linux Backdoor User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Spawned from Message-of-the-Day (MOTD) (eql)
    • stack_validation_failed: no_alerts - 0 alerts
  • ❌ Pluggable Authentication Module (PAM) Source Download (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Boot File Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Creation in Unusual Directory (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connection Initiated by Suspicious SSHD Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious rc.local Error Message (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Loadable Kernel Module Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution of rc.local Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ APT Package Manager Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Path File (pth) Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Dracut Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ At Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ NetworkManager Dispatcher Script Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ RPM Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Simple HTTP Web Server Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Executable Bit Set for Potential Persistence Script (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ D-Bus Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Message-of-the-Day (MOTD) File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Backdoor Execution Through PAM_EXEC (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual D-Bus Daemon Child Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Egress Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Group Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration Generation through Built-in Utilities (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ✅ Suspicious File Creation via Kworker (eql)
  • ❌ Shared Object Created by Previously Unknown Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Chkconfig Service Add (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Driver Load by non-root User (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Usage of bpf_probe_write_user Helper (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Shadow File Modification by Unusual Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GRUB Configuration File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual DPKG Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Python Site or User Customize File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dracut Module Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Dynamic Linker Copy (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ KDE AutoStart Script or Desktop File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Network Connection (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Child Execution via Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Set via setcap Utility (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module or Configuration Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ OpenSSL Password Hash Generation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ DPKG Package Installed by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Setcap setuid/setgid Capability Set (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Cron Job Created or Modified (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@Samirbous Samirbous Awaiting requested review from Samirbous

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

At least 2 approving reviews are required to merge this pull request.

Assignees

@Aegrah Aegrah

Labels

backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Aegrah @tradebot-elastic