[Rule Tuning] Linux DR Tuning - 3

[Aegrah]

Summary

Several Linux DR tunings for credential access. Major changes:

• Deprecated a few rules that had 0 hits last year, data sources are not used and they were relatively expensive, not worth keeping
• Converted some EQL sequence rules over to ESQL --> please double check syntax there.
• Big FP tunings & severity bumps.

[github-actions]

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

• Detailed description of the suggested changes.
• Provide example JSON data or screenshots.
• Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
• Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
• Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
• Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
• Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
• Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
• Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
• Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
• Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
• Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

• updated_date matches the date of tuning PR merged.
• min_stack_version should support the widest stack versions.
• name and description should be descriptive and not include typos.
• query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

• Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
• Ensure that the tuned rule has a low false positive rate.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Internal Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Sensitive Keys Or Passwords Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux RDP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ AWS Credentials Searched For Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Manual Memory Dumping via Proc Filesystem (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Deprecated - Potential Successful Linux FTP Brute Force Attack Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Sensitive Files Compression (kuery)
• ❌ Potential Linux Local Account Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Successful SSH Brute Force Attack (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Kubernetes Service Account Secret Access (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Linux init (PID 1) Secret Dump via GDB (eql)
• ❌ Sensitive Files Compression Inside A Container (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ GitHub Authentication Token Access via Node.js (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Linux Credential Dumping via Unshadow (eql)
  • stack_validation_failed: no_alerts - 0 alerts
• ✅ Potential Linux Credential Dumping via Proc Filesystem (eql)
• ❌ Potential OpenSSH Backdoor Logging Activity (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (esql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[Mikaayenson]

Lot of reasonable tunings in here. No notes. I didn't notice the query conversion eql-->sql slightly changing semantics (10 runs vs 25 counts), but still no big concern. Should be g2g when the CI passes.