Skip to content

[Rule Tuning] Linux DR Tuning - 10 #5510

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Aegrah wants to merge 5 commits into
base: main
Choose a base branch
from
Open

[Rule Tuning] Linux DR Tuning - 10 #5510

Aegrah wants to merge 5 commits into from

Conversation

@Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Dec 23, 2025
edited
Loading

PR 5510 Reviewer Summary

Why

This PR updates and refines a set of Linux persistence and credential access detection rules to:

  • Reduce false positives and operational noise.
  • Improve detection accuracy for real-world threats and new attack techniques.
  • Expand coverage for new system behaviors and edge cases.
  • Provide clearer, actionable triage and investigation guidance.
  • Align rule metadata, severity, and risk scoring with current threat intelligence and operational feedback.

What Changed

  • Rule Logic and Query Refinements

    • Expanded and updated process, file path, and extension exclusions to reduce false positives from legitimate system, automation, and package management activity.
    • Improved pattern matching (e.g., more use of like, like~, and expanded process/file lists).
    • Updated queries to better handle edge cases, such as new parent/child process logic, working directory checks, and more granular command line exclusions.
    • Adjusted new_terms windows (e.g., history_window_start reduced from 14d to 5d in several rules).

  • Severity & Risk Score Adjustments

    • Several rules had their severity and/or risk_score lowered (e.g., from "medium" to "low", 47→21) to reduce alert fatigue.
    • Some rules had their severity/risk increased (e.g., persistence_user_credential_modification_via_echo, persistence_tainted_kernel_module_load, persistence_tainted_kernel_module_out_of_tree_load, persistence_yum_package_manager_plugin_file_creation) to reflect higher threat impact.

  • Metadata & Naming Updates

    • Rule names and descriptions updated for clarity and accuracy (e.g., "Potential Execution via XZBackdoor" → "Potential Execution via SSH Backdoor").
    • References, tags, and integration lists updated to reflect new sources and threat context.

  • Triage/Investigation Guide Enhancements

    • Many rules now include or update a note section with detailed, AI-generated triage, false positive analysis, and response/remediation steps.
    • Disclaimers added to investigation guides, recommending local validation.

  • Rule-Specific Notables

    • persistence_suspicious_ssh_execution_xzbackdoor: Renamed, risk/severity lowered, expanded exclusions for benign SSH child processes, improved triage note.
    • persistence_systemd_ rules*: Expanded process/file exclusions, improved handling of automation and container tools, added/updated triage notes.
    • persistence_tainted_kernel_module_load / out_of_tree_load: Severity/risk increased, added/updated triage notes.
    • persistence_udev_rule_creation: Now only matches creation (not rename), expanded exclusions, added triage note.
    • persistence_user_credential_modification_via_echo: Severity/risk increased, now detects both passwd and shadow file modifications, improved query.
    • persistence_unusual_sshd_child_process: Lowered severity/risk, refined query to reduce noise, new exclusions for known benign processes.
    • persistence_web_server_ rules*: Lowered severity/risk, expanded process/user/parent matching, improved ES|QL queries for better context and deduplication.
    • persistence_xdg_autostart_netcon: Expanded process and application exclusions, added triage note.
    • persistence_user_or_group_creation_or_modification: Added triage note, improved query and context.

Behavioral Impact

  • Reduced False Positives: More comprehensive exclusions and refined queries should significantly reduce noise from legitimate system and automation activity.
  • Improved Detection Quality: Adjusted severities and risk scores better align with real-world threat impact, helping SOCs prioritize.
  • Clearer Triage Guidance: Enhanced investigation notes provide analysts with actionable steps and context, improving response times and accuracy.
  • Broader Coverage: New and updated exclusions and logic account for a wider range of Linux distributions, tools, and operational scenarios.

Risks / Edge Cases

  • Potential for Missed Detections: Aggressive exclusions, especially for automation and package management tools, may inadvertently suppress some true positives if attackers abuse these tools.
  • Rule Downgrades: Lowering severity/risk on some rules may deprioritize alerts that could be significant in certain environments—review local risk appetite.
  • Rule Upgrades: Increasing severity/risk on others (e.g., tainted kernel module loads, credential modification via echo) may increase alert volume for rare but critical events.
  • Pattern Matching Changes: Switching from strict to pattern-based matching (like, like~) may have unforeseen effects on rule triggering in edge cases.

Rollout Notes

  • Review and Test: Before deploying to production, review all updated rules in a staging environment to ensure exclusions and logic match your operational context.
  • Update Playbooks: SOC/IR teams should update their playbooks to align with new triage/investigation notes and severity/risk changes.
  • Monitor Alert Volumes: Track alert volumes post-rollout to ensure that noise is reduced and critical detections are not missed.
  • Feedback Loop: Encourage feedback from analysts to further tune exclusions and triage guidance as needed.

@Aegrah Aegrah self-assigned this Dec 23, 2025
@Aegrah Aegrah added OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE labels Dec 23, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 23, 2025

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Uncommon Destination Port Connection by Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd-udevd Rule File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Shell Execution During Boot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Generator Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual SSHD Child Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Out-Of-Tree Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Exim4 Child Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Credential Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via SSH Backdoor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Timer Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Command Execution from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Authentication via Unusual PAM Grantor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Service Started by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Unpacking via unmkinitramfs (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connections Initiated Through XDG Autostart Entry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Network Connection via systemd (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User or Group Creation/Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Uncommon Destination Port Connection by Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd-udevd Rule File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Shell Execution During Boot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Generator Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual SSHD Child Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Out-Of-Tree Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Exim4 Child Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Credential Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via SSH Backdoor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Timer Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Command Execution from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Authentication via Unusual PAM Grantor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Service Started by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Unpacking via unmkinitramfs (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connections Initiated Through XDG Autostart Entry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Network Connection via systemd (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User or Group Creation/Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Uncommon Destination Port Connection by Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd-udevd Rule File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Shell Execution During Boot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Generator Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual SSHD Child Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Out-Of-Tree Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Exim4 Child Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Credential Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via SSH Backdoor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Timer Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Command Execution from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Authentication via Unusual PAM Grantor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Service Started by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Unpacking via unmkinitramfs (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connections Initiated Through XDG Autostart Entry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Network Connection via systemd (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User or Group Creation/Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Aegrah
Refactor query in persistence_web_server_sus_command_execution rule
ad01a1e 
Removed unnecessary fields from the query and added new fields for event dataset and data stream namespace.
@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Uncommon Destination Port Connection by Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd-udevd Rule File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Shell Execution During Boot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Generator Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual SSHD Child Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Out-Of-Tree Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Exim4 Child Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Credential Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via SSH Backdoor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Timer Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Command Execution from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Authentication via Unusual PAM Grantor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Service Started by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Unpacking via unmkinitramfs (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connections Initiated Through XDG Autostart Entry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Network Connection via systemd (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User or Group Creation/Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Dec 23, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Uncommon Destination Port Connection by Web Server (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd-udevd Rule File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Yum Package Manager Plugin File Creation (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Shell Execution During Boot (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Service Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Generator Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual SSHD Child Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Tainted Out-Of-Tree Kernel Module Load (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Web Server Command Execution (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Exim4 Child Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux User Account Credential Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Execution via SSH Backdoor (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Timer Created (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Command Execution from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Process Spawned from Web Server Parent (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Authentication via Unusual PAM Grantor (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Systemd Service Started by Unusual Parent Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Initramfs Unpacking via unmkinitramfs (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Network Connections Initiated Through XDG Autostart Entry (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Network Connection via systemd (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ User or Group Creation/Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@Samirbous Samirbous Awaiting requested review from Samirbous

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

At least 2 approving reviews are required to merge this pull request.

Assignees

@Aegrah Aegrah

Labels

backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Aegrah @tradebot-elastic