[Rule Tuning] Linux DR CP Tuning

[Aegrah]

PR 5512 Reviewer Summary

---

Why

This PR updates, refines, and in some cases deprecates, several cross-platform detection rules for command and control, defense evasion, persistence, and privilege escalation. The changes are intended to:

• Improve detection accuracy and reduce false positives.
• Expand and clarify triage/investigation guidance.
• Update rule logic to reflect new threat intelligence and operational realities.
• Deprecate or rename rules that are no longer recommended or have been superseded.

---

What Changed

General:

• All rules updated with updated_date = "2025/12/23".
• Many rules received expanded or newly added note sections with detailed triage, false positive, and response guidance.
• Several rules had their risk_score, severity, and history_window_start updated for consistency and improved detection.
• Exclusion logic and exception lists were expanded in many queries to reduce noise.

Notable Rule-Specific Changes:

• command_and_control_curl_wget_spawn_via_nodejs_parent

  • Query expanded to exclude additional benign parent executables (e.g., .cursor-server, .nvm, .vscode-server, cursor-agent) and shell snapshot paths.
  • More robust filtering for local/benign activity.

• command_and_control_non_standard_ssh_port

  • Rule renamed to "Deprecated - Potential Non-Standard Port SSH connection".
  • Triage note updated to reflect deprecation.

• defense_evasion_deletion_of_bash_command_line_history

  • Query now excludes more benign tools (timeout, kubectl, psql, bazel, git, jq, grep) and a specific stat command.
  • Query, metadata, and tags moved to the bottom of the file for consistency.

• defense_evasion_masquerading_space_after_filename

  • Query now excludes process.args == "runc" to reduce false positives.
  • Metadata and tags moved to the bottom of the file for consistency.

• defense_evasion_timestomp_touch

  • Query now uses more robust logic for parent process and argument exclusions, including many new parent executables, names, and command lines.
  • Metadata and tags moved to the bottom of the file for consistency.

• persistence_ssh_authorized_keys_modification

  • Rule renamed to "SSH Authorized Keys File Activity".
  • Query now only matches on authorized_keys and authorized_keys2 (removes /etc/ssh/sshd_config and /root/.ssh).
  • history_window_start reduced from 10d → 5d.
  • Metadata and tags moved to the bottom of the file for consistency.

• privilege_escalation_setuid_setgid_bit_set_via_chmod

  • Query expanded to exclude more benign parent executables (find, commvault, metallic, etc.), parent args, and parent command lines.
  • Metadata and tags moved to the bottom of the file for consistency.

• privilege_escalation_sudoers_file_mod

  • Rule renamed to "Sudoers File Activity".
  • Query now excludes more benign process names (wildcards for platform-python, python, etc.) and executables (podman, teleport, rpm, microdnf, salt-minion, etc.).
  • Metadata and tags moved to the bottom of the file for consistency.

---

Behavioral Impact

• Improved Detection Quality: Expanded exclusions and more precise queries will reduce false positives and alert fatigue for analysts.
• Better Triage: New and improved investigation guides provide actionable steps for analysts, improving response quality and speed.
• Deprecation: Some rules are now marked as deprecated, signaling to users that they should be replaced or are no longer recommended.
• Rule Renaming: Some rules have been renamed for clarity and to reflect their current status or scope.

---

Risks / Edge Cases

• Potential Missed Detections: Aggressive exclusions may inadvertently suppress some true positives if legitimate attack techniques mimic benign activity.
• Rule Deprecation: Deprecated rules may still be in use in some environments; ensure migration to newer rules where possible.
• Operational Overhead: Analysts may need to review and update their own exception lists and playbooks to align with new guidance and exclusions.
• Rule Renaming: Renamed rules may require updates to dashboards, alerting, or documentation.

---

Rollout Notes

• Review and Test: Carefully review the updated rules and test in a staging environment before full production rollout.
• Update Playbooks: Update SOC/IR playbooks to leverage the new triage and response guidance.
• Monitor for Gaps: After deployment, monitor for any missed detections or unexpected alert suppression due to new exclusions.
• Deprecation Handling: Identify and replace any deprecated rules in your environment.
• Rule Renaming: Update any references to renamed rules in your documentation, dashboards, and alerting systems.

[github-actions]

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

• Detailed description of the suggested changes.
• Provide example JSON data or screenshots.
• Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
• Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
• Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
• Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
• Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
• Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
• Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
• Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
• Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
• Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

• updated_date matches the date of tuning PR merged.
• min_stack_version should support the widest stack versions.
• name and description should be descriptive and not include typos.
• query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

• Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
• Ensure that the tuned rule has a low false positive rate.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ SSH Authorized Keys File Activity (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tampering of Shell Command-Line History (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SUID/SGID Bit Set (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sudoers File Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Timestomping using Touch Command (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Non-Standard Port SSH connection (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Curl or Wget Spawned via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Masquerading Space After Filename (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ SSH Authorized Keys File Activity (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tampering of Shell Command-Line History (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SUID/SGID Bit Set (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sudoers File Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Timestomping using Touch Command (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Non-Standard Port SSH connection (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Curl or Wget Spawned via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Masquerading Space After Filename (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ SSH Authorized Keys File Activity (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tampering of Shell Command-Line History (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SUID/SGID Bit Set (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sudoers File Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Timestomping using Touch Command (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Non-Standard Port SSH connection (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Curl or Wget Spawned via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Masquerading Space After Filename (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

Starting the rule tests ...

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ SSH Authorized Keys File Activity (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Tampering of Shell Command-Line History (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SUID/SGID Bit Set (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sudoers File Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Timestomping using Touch Command (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Non-Standard Port SSH connection (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Curl or Wget Spawned via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Masquerading Space After Filename (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[terrancedejesus]

Is this specific to version 16? Should we wildcard it? --> /usr/lib/postgresql/16/bin/psql