Skip to content

[Rule Tuning] Linux DR Tuning - 6 #5497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Aegrah wants to merge 7 commits into
base: main
Choose a base branch
from
Open

[Rule Tuning] Linux DR Tuning - 6 #5497

Aegrah wants to merge 7 commits into from

Conversation

@Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Dec 18, 2025
edited
Loading

Pull Request Summary

Why

This PR updates and strengthens a wide range of Linux discovery and reconnaissance detection rules. The focus is on improving detection accuracy, expanding data source coverage, increasing risk prioritization, and adding more robust filtering to reduce false positives and benign activity.

What changed

  • General Enhancements

    • Many rules have updated updated_date fields for traceability.
    • Several rules have increased risk scores and severity levels (e.g., from "low" to "medium"/"high", risk score from 21 to 47/73).
    • More event actions, process names, and parent process filters included in detection logic for broader coverage and reduced false positives.
    • Index patterns expanded to cover more log sources (e.g., logs-auditd_manager.auditd-*, logs-crowdstrike.fdr*, logs-sentinel_one_cloud_funnel.*, endgame-*, auditbeat-*).
    • New exclusions for known benign processes, paths, and parent executables to reduce noise.
    • New terms rules now use agent.id instead of host.id and have shorter history windows (e.g., from 14d to 5d).
    • Many rules now include or update detailed triage and investigation notes.

  • Rule-Specific Notes

    • discovery_docker_socket_discovery.toml
      • Severity increased from "low" to "medium", risk score from 21 to 47.
      • Excludes more benign parent executables and arguments.
    • discovery_dynamic_linker_via_od.toml
      • Severity increased from "low" to "high", risk score from 21 to 73.
    • discovery_esxi_software_via_find.toml and discovery_esxi_software_via_grep.toml
      • Added crowdstrike integration and index.
      • Broader event action coverage and more parent process exclusions.
    • discovery_kernel_module_enumeration.toml
      • Renamed to "Unusual Kernel Module Enumeration".
      • Now uses new terms only on process.executable (not parent).
      • History window shortened to 5d.
      • Expanded parent process and argument exclusions.
      • Investigation notes updated for clarity.
      • Severity lowered from "medium" to "low", risk score from 47 to 21.
    • discovery_kernel_seeking.toml and discovery_kernel_unpacking.toml
      • Severity increased from "low" to "medium", risk score from 21 to 47.
      • Broader parent process and argument exclusions.
      • Investigation notes updated for clarity.
    • discovery_kubeconfig_file_discovery.toml
      • Excludes more benign process names and executables.
    • discovery_kubectl_permission_discovery.toml
      • Added auditd_manager and sentinel_one_cloud_funnel integrations and indexes.
      • Severity increased from "low" to "medium", risk score from 21 to 47.
      • Broader event action coverage.
    • discovery_manual_mount_discovery_via_exports_or_fstab.toml
      • Added auditd_manager integration and index.
      • Severity increased from "low" to "medium", risk score from 21 to 47.
      • Broader event action and process name coverage.
    • discovery_pam_version_discovery.toml
      • Added auditd_manager integration and index.
      • Excludes more benign working directories and parent executables.
    • discovery_ping_sweep_detected.toml
      • Added crowdstrike and sentinel_one_cloud_funnel integrations and indexes.
      • Broader event action coverage.
      • Investigation notes updated for clarity.
    • discovery_port_scanning_activity_from_compromised_host.toml and discovery_subnet_scanning_activity_from_compromised_host.toml
      • Severity increased from "low" to "medium", risk score from 21 to 47.
      • ESQL queries now aggregate more context and exclude more benign executables.
    • discovery_private_key_password_searching_activity.toml
      • Added auditd_manager integration and index.
      • Severity increased from "low" to "high", risk score from 21 to 73.
      • Broader event action coverage.
      • Added MITRE ATT&CK credential access mapping.
    • discovery_proc_maps_read.toml and discovery_suspicious_memory_grep_activity.toml
      • Added auditd_manager integration and index.
      • Severity increased from "low" to "high", risk score from 21 to 73.
      • Broader event action and process name coverage.
      • More exclusions for benign parent processes and working directories.
      • Investigation notes updated for clarity.
    • discovery_process_capabilities.toml
      • Severity increased from "low" to "medium", risk score from 21 to 47.
    • discovery_pspy_process_monitoring_detected.toml
      • Rule is now marked as Deprecated and renamed accordingly.
      • Investigation notes updated to clarify deprecation.
    • discovery_suid_sguid_enumeration.toml
      • Severity increased from "low" to "medium", risk score from 21 to 47.
      • Investigation notes updated for clarity.
    • discovery_suspicious_network_tool_launched_inside_container.toml
      • Broader process name coverage and new exclusions for benign arguments.
      • Investigation notes updated for clarity.

Behavioral impact

  • Increased detection coverage for discovery and reconnaissance techniques across more data sources and event types.
  • Higher severity and risk scores will prioritize these alerts in SOC workflows.
  • More robust filtering and exclusions should reduce false positives and alert fatigue.
  • Alerts will now include richer context for investigation.
  • Deprecated rules will no longer be maintained; users should migrate to newer alternatives.

Risks/edge cases

  • Expanding index patterns and integrations could introduce noise if new data sources are not properly filtered or normalized.
  • Broader event action and process name coverage could increase false positives if not carefully tuned.
  • More aggressive filtering may inadvertently exclude some true positives if not validated in production.
  • Deprecated rules may still be in use in some environments; ensure migration to supported rules.

Rollout notes

  • Ensure new data sources are ingested and mapped correctly before enabling updated rules.
  • Monitor for increased alert volume or false positives after deployment.
  • Communicate changes in detection logic, severity, and exclusions to SOC analysts.
  • Consider phased rollout or additional tuning if noise increases.
  • Review and update any playbooks or automations that reference these rules, especially deprecated ones.

@Aegrah Aegrah self-assigned this Dec 18, 2025
@Aegrah Aegrah added OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE labels Dec 18, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 18, 2025

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 18, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Dynamic Linker Discovery via od (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Network Scan Executed From Host (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubectl Permission Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Grep (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kernel Module Enumeration (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious /proc/maps Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Find (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Seeking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Unpacking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Virtual Machine Fingerprinting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SUID/SGUID Enumeration Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Private Key Searching Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Network Tool Launched Inside A Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum/DNF Plugin Status Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Subnet Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubeconfig File Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual User Privilege Enumeration via id (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Mount Discovery via /etc/exports or /etc/fstab (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Potential Pspy Process Monitoring Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Memory grep Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Docker Socket Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 18, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Dynamic Linker Discovery via od (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Network Scan Executed From Host (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubectl Permission Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Grep (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kernel Module Enumeration (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious /proc/maps Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Find (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Seeking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Unpacking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Virtual Machine Fingerprinting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SUID/SGUID Enumeration Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Private Key Searching Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Network Tool Launched Inside A Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum/DNF Plugin Status Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Subnet Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubeconfig File Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual User Privilege Enumeration via id (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Mount Discovery via /etc/exports or /etc/fstab (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Potential Pspy Process Monitoring Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Memory grep Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Docker Socket Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 18, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Dynamic Linker Discovery via od (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Network Scan Executed From Host (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubectl Permission Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Grep (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kernel Module Enumeration (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious /proc/maps Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Find (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Seeking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Unpacking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Virtual Machine Fingerprinting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SUID/SGUID Enumeration Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Private Key Searching Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Network Tool Launched Inside A Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum/DNF Plugin Status Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Subnet Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubeconfig File Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual User Privilege Enumeration via id (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Mount Discovery via /etc/exports or /etc/fstab (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Potential Pspy Process Monitoring Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Memory grep Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Docker Socket Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 19, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Dynamic Linker Discovery via od (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Network Scan Executed From Host (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubectl Permission Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Grep (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kernel Module Enumeration (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious /proc/maps Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Find (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Seeking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Unpacking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Virtual Machine Fingerprinting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SUID/SGUID Enumeration Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Private Key Searching Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Network Tool Launched Inside A Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum/DNF Plugin Status Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Subnet Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubeconfig File Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual User Privilege Enumeration via id (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Mount Discovery via /etc/exports or /etc/fstab (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Potential Pspy Process Monitoring Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Memory grep Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Docker Socket Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Aegrah
Revise investigation title for kernel module enumeration
02dbe4f 
Updated the title of the investigation section to clarify focus on unusual kernel module enumeration.
@tradebot-elastic
Copy link

tradebot-elastic commented Dec 19, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Dynamic Linker Discovery via od (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Network Scan Executed From Host (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubectl Permission Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Grep (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kernel Module Enumeration (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious /proc/maps Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Find (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Seeking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Unpacking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Virtual Machine Fingerprinting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SUID/SGUID Enumeration Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Private Key Searching Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Network Tool Launched Inside A Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum/DNF Plugin Status Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Subnet Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubeconfig File Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual User Privilege Enumeration via id (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Mount Discovery via /etc/exports or /etc/fstab (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Potential Pspy Process Monitoring Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Memory grep Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Docker Socket Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Dynamic Linker Discovery via od (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Network Scan Executed From Host (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubectl Permission Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Grep (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kernel Module Enumeration (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious /proc/maps Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Find (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Seeking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Unpacking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Virtual Machine Fingerprinting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SUID/SGUID Enumeration Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Private Key Searching Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Network Tool Launched Inside A Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum/DNF Plugin Status Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Subnet Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubeconfig File Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual User Privilege Enumeration via id (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Mount Discovery via /etc/exports or /etc/fstab (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Potential Pspy Process Monitoring Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Memory grep Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Docker Socket Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Aegrah
Enhance ESQL query for subnet scanning detection
d1a3b0c 
Updated ESQL query to include additional fields and conditions for better analysis of connection attempts from compromised hosts.
@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Suspicious Dynamic Linker Discovery via od (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Network Scan Executed From Host (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubectl Permission Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Grep (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Kernel Module Enumeration (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious /proc/maps Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ ESXI Discovery via Find (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Seeking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kernel Unpacking Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Virtual Machine Fingerprinting (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SUID/SGUID Enumeration Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Process Capability Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Private Key Searching Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Port Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Network Tool Launched Inside A Container (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum/DNF Plugin Status Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Subnet Scanning Activity from Compromised Host (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubeconfig File Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual User Privilege Enumeration via id (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Manual Mount Discovery via /etc/exports or /etc/fstab (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Deprecated - Potential Pspy Process Monitoring Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Polkit Version Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Memory grep Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Docker Socket Enumeration (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Aegrah Aegrah requested review from Samirbous and w0rk3r December 23, 2025 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@Samirbous Samirbous Awaiting requested review from Samirbous

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

At least 2 approving reviews are required to merge this pull request.

Assignees

@Aegrah Aegrah

Labels

backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Aegrah @tradebot-elastic @terrancedejesus