[Rule Tuning] Linux DR Tuning - 7

rules/linux/execution_abnormal_process_id_file_created.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/05/11"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/24"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -128,7 +128,9 @@ file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and
     go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or vzctl or ifup or
     rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat or redis-server or libvirt_leaseshelper or
     s6-ipcserver-socketbinder or xinetd or libvirtd or veeamdeploymentsvc  or dnsmasq or virtlogd or lynis or
-    veeamtransport
+    veeamtransport or bash or dash or sh or touch or podman or chrome_crashpad_handler or snmpd or automount or
+    chrome or yumBackend.py or rhsmcertd-worker or snapd or cp or dotnet or leapp or haproxy or multipathd or
+    falcond or python* or atopacctd or postmaster or httpd or pulseaudio or iptables or atd or package-cleanup or local
   ) or
   file.name : (
     jem.*.pid or lynis.pid or redis.pid or yum.pid or MFS.pid or jenkins.pid or nvmupdate.pid or openlitespeed.pid or
@@ -153,8 +155,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
 
 [rule.new_terms]
 field = "new_terms_fields"
-value = ["process.executable", "file.name"]
+value = ["process.name", "file.name"]
 
 [[rule.new_terms.history_window_start]]
 field = "history_window_start"
-value = "now-14d"
+value = "now-5d"

rules/linux/execution_container_management_binary_launched_inside_container.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/03/12"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/06/17"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -24,6 +24,41 @@ index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Container Management Utility Run Inside A Container"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Container Management Utility Run Inside A Container
+
+Container management utilities like Docker and Kubectl are essential for orchestrating and managing containerized applications. They facilitate tasks such as deployment, scaling, and networking. However, adversaries can exploit these tools to execute unauthorized commands within containers, potentially leading to system compromise. The detection rule identifies suspicious execution of these utilities within containers, signaling possible misuse or misconfiguration, by monitoring specific process activities and event types.
+
+### Possible investigation steps
+
+- Examine the process name and command line arguments to understand the context of the execution and identify any anomalies or unauthorized commands.
+- Check the user and permissions associated with the process to assess if it aligns with expected roles and access levels for container management tasks.
+- Investigate the container's creation and deployment history to identify any recent changes or deployments that could explain the presence of the management utility.
+- Analyze network activity associated with the container to detect any unusual connections or data transfers that might indicate malicious activity.
+- Correlate the event with other security alerts or logs to identify patterns or related incidents that could provide additional context or evidence of compromise.
+
+### False positive analysis
+
+- Routine maintenance tasks within containers can trigger the rule. Exclude known maintenance scripts or processes by adding them to an allowlist if they frequently execute container management utilities.
+- Development and testing environments often run container management commands for legitimate purposes. Consider excluding these environments from monitoring or adjust the rule to focus on production environments only.
+- Automated deployment tools may execute container management commands as part of their workflow. Identify these tools and create exceptions for their activities to prevent false positives.
+- System updates or patches might involve running container management utilities. Monitor update schedules and temporarily adjust the rule to avoid unnecessary alerts during these periods.
+- Legitimate administrative actions by authorized personnel can trigger the rule. Implement user-based exceptions for known administrators to reduce false positives while maintaining security oversight.
+
+### Response and remediation
+
+- Immediately isolate the affected container to prevent further unauthorized access or execution of commands. This can be done by stopping the container or disconnecting it from the network.
+- Review the container's configuration and access controls to identify any misconfigurations or unauthorized access permissions that may have allowed the execution of container management utilities.
+- Conduct a thorough analysis of the container's logs and process activities to determine the extent of the compromise and identify any additional malicious activities or lateral movement attempts.
+- Remove any unauthorized or suspicious binaries and scripts from the container to prevent further exploitation.
+- Patch and update the container image and underlying host system to address any known vulnerabilities that may have been exploited.
+- Implement stricter access controls and monitoring on container management utilities to ensure they are only accessible by authorized users and processes.
+- Escalate the incident to the security operations team for further investigation and to assess the need for broader security measures across the container environment."""
+
 risk_score = 21
 rule_id = "4b74d3b0-416e-4099-b432-677e1cd098cc"
 setup = """## Setup
@@ -66,43 +101,14 @@ type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 process.entry_leader.entry_meta.type == "container" and process.interactive == true and
-process.name in ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "systemd", "crictl") and
-not process.parent.executable in ("/sbin/init", "/usr/bin/dockerd")
+process.name in ("dockerd", "kubelet", "kube-proxy", "kubectl", "containerd", "systemd", "crictl") and
+not (
+  process.parent.executable in ("/sbin/init", "/usr/bin/dockerd", "/usr/bin/runc", "/usr/bin/containerd-shim-runc-v2") or
+  process.working_directory == "/aws" or
+  process.parent.command_line == "runc init" or
+  (process.parent.name == "busybox" and process.name == "kubectl")
+)
 '''
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Container Management Utility Run Inside A Container
-
-Container management utilities like Docker and Kubectl are essential for orchestrating and managing containerized applications. They facilitate tasks such as deployment, scaling, and networking. However, adversaries can exploit these tools to execute unauthorized commands within containers, potentially leading to system compromise. The detection rule identifies suspicious execution of these utilities within containers, signaling possible misuse or misconfiguration, by monitoring specific process activities and event types.
-
-### Possible investigation steps
-
-- Examine the process name and command line arguments to understand the context of the execution and identify any anomalies or unauthorized commands.
-- Check the user and permissions associated with the process to assess if it aligns with expected roles and access levels for container management tasks.
-- Investigate the container's creation and deployment history to identify any recent changes or deployments that could explain the presence of the management utility.
-- Analyze network activity associated with the container to detect any unusual connections or data transfers that might indicate malicious activity.
-- Correlate the event with other security alerts or logs to identify patterns or related incidents that could provide additional context or evidence of compromise.
-
-### False positive analysis
-
-- Routine maintenance tasks within containers can trigger the rule. Exclude known maintenance scripts or processes by adding them to an allowlist if they frequently execute container management utilities.
-- Development and testing environments often run container management commands for legitimate purposes. Consider excluding these environments from monitoring or adjust the rule to focus on production environments only.
-- Automated deployment tools may execute container management commands as part of their workflow. Identify these tools and create exceptions for their activities to prevent false positives.
-- System updates or patches might involve running container management utilities. Monitor update schedules and temporarily adjust the rule to avoid unnecessary alerts during these periods.
-- Legitimate administrative actions by authorized personnel can trigger the rule. Implement user-based exceptions for known administrators to reduce false positives while maintaining security oversight.
-
-### Response and remediation
-
-- Immediately isolate the affected container to prevent further unauthorized access or execution of commands. This can be done by stopping the container or disconnecting it from the network.
-- Review the container's configuration and access controls to identify any misconfigurations or unauthorized access permissions that may have allowed the execution of container management utilities.
-- Conduct a thorough analysis of the container's logs and process activities to determine the extent of the compromise and identify any additional malicious activities or lateral movement attempts.
-- Remove any unauthorized or suspicious binaries and scripts from the container to prevent further exploitation.
-- Patch and update the container image and underlying host system to address any known vulnerabilities that may have been exploited.
-- Implement stricter access controls and monitoring on container management utilities to ensure they are only accessible by authorized users and processes.
-- Escalate the incident to the security operations team for further investigation and to assess the need for broader security measures across the container environment."""
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"

rules/linux/execution_cupsd_foomatic_rip_file_creation.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/09/27"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -69,7 +69,7 @@ references = [
     "https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1",
     "https://github.com/RickdeJager/cupshax/blob/main/cupshax.py",
 ]
-risk_score = 73
+risk_score = 47
 rule_id = "b9b14be7-b7f4-4367-9934-81f07d2f63c4"
 setup = """## Setup
 
@@ -96,7 +96,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
 - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 """
-severity = "high"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Linux",
@@ -108,27 +108,27 @@ tags = [
     "Resources: Investigation Guide",
 ]
 type = "eql"
-
 query = '''
 sequence by host.id with maxspan=10s
   [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start") and
    process.parent.name == "foomatic-rip" and
    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")] by process.entity_id
   [file where host.os.type == "linux" and event.type != "deletion" and
-   not (process.name == "gs" and file.path like "/tmp/gs_*")] by process.parent.entity_id
+   not (
+     (process.name == "gs" and file.path like ("/tmp/gs_*", "/var/spool/cups/tmp/gs_*")) or
+     (process.name == "pdftops" and file.path like "/tmp/0*")
+   )] by process.parent.entity_id
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1203"
 name = "Exploitation for Client Execution"
 reference = "https://attack.mitre.org/techniques/T1203/"
 
-
 [rule.threat.tactic]
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
-

rules/linux/execution_cupsd_foomatic_rip_lp_user_execution.toml

@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2024/09/27"
-integration = ["endpoint", "crowdstrike"]
+integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/10/17"
+updated_date = "2025/12/18"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,12 @@ through crafted UDP packets or network spoofing. This can result in arbitrary co
 initiated.
 """
 from = "now-9m"
-index = ["endgame-*", "logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
+index = [
+    "endgame-*",
+    "logs-crowdstrike.fdr*",
+    "logs-endpoint.events.process*",
+    "logs-sentinel_one_cloud_funnel.*",
+]
 language = "eql"
 license = "Elastic License v2"
 name = "Printer User (lp) Shell Execution"
@@ -104,23 +109,25 @@ tags = [
   "Use Case: Threat Detection",
   "Use Case: Vulnerability",
   "Tactic: Execution",
+  "Data Source: Crowdstrike",
   "Data Source: Elastic Defend",
   "Data Source: Elastic Endgame",
+  "Data Source: SentinelOne",
   "Resources: Investigation Guide",
-  "Data Source: Crowdstrike",
+
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
-  event.action in ("exec", "exec_event", "ProcessRollup2") and user.name == "lp" and
+  event.action in ("exec", "exec_event", "ProcessRollup2", "ProcessRollup2") and user.name == "lp" and
   process.parent.name in ("cupsd", "foomatic-rip", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
   process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not (
     process.command_line like (
       "*/tmp/foomatic-*", "*-sDEVICE=ps2write*", "*printf*", "/bin/sh -e -c cat", "/bin/bash -c cat",
       "/bin/bash -e -c cat"
     ) or
-    process.args like "gs*"
+    process.args like ("gs*", "/usr/bin/lsb_release", "/usr/lib/cups/filter/gstopdf")
   )
 '''