[Tuning] Linux DR Tuning - Part 6 (#3457)

* [Tuning] Linux DR Tuning - Part 6

* Update discovery_ping_sweep_detected.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

Removed changes from:
- rules/linux/discovery_process_capabilities.toml
- rules/linux/execution_abnormal_process_id_file_created.toml
- rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml

(selectively cherry picked from commit f37a3bf)

Author: Aegrah

rules/linux/discovery_ping_sweep_detected.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/09/04"
-integration = ["endpoint"]
+integration = ["endpoint", "auditd_manager"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/10/19"
+updated_date = "2024/02/20"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ Adversaries may leverage built-in tools such as ping, netcat or socat to execute
 attempting to evade detection or due to the lack of network mapping tools available on the compromised host. 
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*"]
+index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Potential Network Scan Executed From Host"
@@ -48,12 +48,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Data Source: Elastic Defend",
+        "Data Source: Elastic Endgame",
+        "Data Source: Auditd Manager"
+        ]
 timestamp_override = "event.ingested"
 type = "threshold"
 query = '''
-host.os.type:linux and event.action:exec and event.type:start and 
-process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat)
+event.category:process and host.os.type:linux and event.action:(exec or exec_event or executed or process_started) and
+event.type:start and process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat)
 '''
 
 [[rule.threat]]

rules/linux/discovery_sudo_allowed_command_enumeration.toml

@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/11/02"
+updated_date = "2024/02/20"
 
 [rule]
 author = ["Elastic"]
@@ -47,14 +47,20 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
 
 """
 severity = "low"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Discovery",
+        "Data Source: Elastic Defend"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
 process.name == "sudo" and process.args == "-l" and process.args_count == 2 and
 process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and 
-not group.Ext.real.id : "0" and not user.Ext.real.id : "0"
+not group.Ext.real.id : "0" and not user.Ext.real.id : "0" and not process.args == "dpkg"
 '''
 
 [[rule.threat]]