[Rule Tuning] Linux DR Tuning - 3

[Aegrah]

Pull Request Summary

Why

This PR updates and enhances several Linux credential access detection rules, with a focus on improving detection accuracy, expanding data source coverage, increasing risk prioritization, and deprecating certain rules.

---

What changed

• General Enhancements

  • Many rules now include additional integrations: auditd_manager and sentinel_one_cloud_funnel.
  • Index patterns expanded to cover more log sources (e.g., logs-auditd_manager.auditd-*, logs-sentinel_one_cloud_funnel.*, endgame-*, auditbeat-*).
  • New terms detection fields updated (e.g., from host.id to agent.id).
  • History window durations for new terms shortened (e.g., from 10d to 5d).
  • More event actions and process names included in detection logic for broader coverage.
  • Several rules have increased risk scores and severity levels (e.g., from "medium" to "high", risk score from 47 to 73).

• Rule-Specific Notes

  • credential_access_aws_creds_search_inside_container.toml
    • Severity increased to "high" and risk score to 73.
    • Expanded process names to include cat, sed, and awk.
  • credential_access_collection_sensitive_files.toml
    • Added integrations for auditd_manager and sentinel_one_cloud_funnel.
    • Broader index and event action coverage.
    • New terms now use agent.id.
    • History window shortened to 5d.
  • credential_access_collection_sensitive_files_compression_inside_container.toml
    • Severity increased to "high" and risk score to 73.
  • credential_access_credential_dumping.toml
    • Severity increased to "high" and risk score to 73.
  • credential_access_gdb_init_process_hooking.toml
    • Added auditd_manager integration and index.
    • Severity increased to "high" and risk score to 73.
    • Broader event action coverage.
  • credential_access_gh_auth_via_nodejs.toml
    • Added endgame-* to index.
    • Broader event action coverage.
  • credential_access_kubernetes_service_account_secret_access.toml
    • Broader exclusions to reduce false positives (e.g., specific command lines, working directories, and parent processes).
  • credential_access_manual_memory_dumping.toml
    • Added auditd_manager integration and index.
    • Severity increased to "high" and risk score to 73.
    • Broader event action coverage.
  • credential_access_potential_linux_local_account_bruteforce.toml
    • Changed from EQL to ESQL.
    • Added interval and new ESQL query logic for more robust brute force detection.
    • Broader parent process exclusions.
  • credential_access_potential_linux_ssh_bruteforce_external.toml and credential_access_potential_linux_ssh_bruteforce_internal.toml
    • Changed from EQL to ESQL.
    • Added interval and new ESQL query logic for more robust brute force detection.
    • Broader field coverage and improved statistics for event grouping.
  • credential_access_potential_successful_linux_ftp_bruteforce.toml and credential_access_potential_successful_linux_rdp_bruteforce.toml
    • Both rules are now marked as Deprecated.
    • Investigation notes updated to clarify deprecation and provide detailed triage, false positive, and response guidance.

---

Behavioral impact

• Increased detection coverage for credential access and brute force attempts across more data sources and event types.
• Higher severity and risk scores will prioritize these alerts in SOC workflows.
• Deprecated rules will no longer be maintained; users should migrate to newer alternatives.
• More robust brute force detection using ESQL and improved event grouping/statistics.

---

Risks/edge cases

• Expanding index patterns and integrations could introduce noise if new data sources are not properly filtered or normalized.
• Changing new terms fields and history windows may affect alert frequency and baseline calculations.
• Broader event action and process name coverage could increase false positives if not carefully tuned.
• Deprecated rules may still be in use in some environments; ensure migration to supported rules.

---

Rollout notes

• Ensure new data sources are ingested and mapped correctly before enabling updated rules.
• Monitor for increased alert volume or false positives after deployment.
• Communicate changes in detection logic, severity, and deprecation status to SOC analysts.
• Consider phased rollout or additional tuning if noise increases.
• Review and update any playbooks or automations that reference deprecated rules.

[github-actions]

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

• Detailed description of the suggested changes.
• Provide example JSON data or screenshots.
• Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
• Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
• Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
• Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
• Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
• Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
• Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
• Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
• Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
• Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

• updated_date matches the date of tuning PR merged.
• min_stack_version should support the widest stack versions.
• name and description should be descriptive and not include typos.
• query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

• Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
• Ensure that the tuned rule has a low false positive rate.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[Mikaayenson]

Lot of reasonable tunings in here. No notes. I didn't notice the query conversion eql-->sql slightly changing semantics (10 runs vs 25 counts), but still no big concern. Should be g2g when the CI passes.

[eric-forte-elastic]

🟢 Manual review, looks good to me! 👍

[Samirbous]

those 2 are already defined : agent.id is in the aggregation and dataset is in the query index logs-endpoint.events.process*

[Samirbous]

you will need to add | eval time_window = DATE_TRUNC(1 minute, @timestamp) or 30s to have similar behavior as maxspan with the adequate threshold, but from telm it seems like the rule is not very noisy, instead of converting it to ESQL just add a condition on process.args_count <= 2

[Aegrah]

Added the eval with 1 minute.

[Samirbous]

too high compared to if you just dropped args_count <= 2

[Aegrah]

This is way more efficient, and a brute force will very likely exceed this number. However, I bumped it down to the original >= 10 as the rule was doing fine; this is just a performance increase.

[Samirbous]

it may error because of the multi-index (if one is missing), you will also need to add the | eval time_window = DATE_TRUNC(30 seconds, @timestamp) and set the Esql.event_count >= 60 to reduce noise (try it on telm and you will see with 25 it will remain noisy)

[Aegrah]

Bumped to 60.

it may error because of the multi-index (if one is missing)

That's a good call, though. Because of this reason, we probably shouldn't even convert to ESQL. Will discuss this via Slack.

[Samirbous]

should by source.ip, agent.id to be similar to the previous logic, by user.name will miss attempt to brute-force multi accounts using same pwd.

[Aegrah]

Discussed this on Slack, will create a new rule for password spraying and keep this one as we had it previously (on source.ip, agent.id and user.name)

[Samirbous]

have u tried to use ES|QL on the telem rule to see if 25 will reduce noise or not ?

[Aegrah]

I don't think we can write an ESQL rule on a sequence from failed --> success? We can write one to say failure X and success Y, but no sequencing, which makes it not really a way to detect the succesful piece of the brute force attack.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta