[Tuning] Linux DR Tuning - Part 10 #3462

Aegrah · 2024-02-21T09:59:46Z

Summary

Part 10 of the Linux DR tuning. Besides regular rule tuning, this PR added compatibility with additional data sources where possible, added correct tags/indices, fixed formatting, and checked for potential rule performance increases.

shashank-elastic

Query needs to be corrected. Unit tests are failing!

rules/linux/persistence_kworker_file_creation.toml

DefSecSentinel

LGTM

w0rk3r · 2024-03-06T17:22:46Z

rules/linux/persistence_etc_file_creation.toml

-  (process.executable : (
-    "*/dpkg", "*/yum", "*/apt", "*/dnf", "*/rpm", "*/systemd", "*/snapd",
-    "*/dnf-automatic","*/yum-cron", "*/elastic-agent", "*/dnfdaemon-system",
-    "*/bin/dockerd", "*/sbin/dockerd", "/kaniko/executor", "/usr/sbin/rhn_check"
+  (process.name : (
+    "chef-client", "ruby", "pacman", "packagekitd", "python*", "platform-python", "dpkg", "yum", "apt", "dnf", "rpm",
+    "systemd", "snapd", "dnf-automatic", "yum-cron", "elastic-agent", "dnfdaemon-system", "dockerd", "executor",
+    "rhn_check"


Already fixed.

* [Tuning] Linux DR Tuning - Part 10 * updated_date bump * Update persistence_kworker_file_creation.toml * Update persistence_linux_backdoor_user_creation.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Removed changes from: - rules/linux/persistence_init_d_file_creation.toml (selectively cherry picked from commit a76a375)

* [Tuning] Linux DR Tuning - Part 10 * updated_date bump * Update persistence_kworker_file_creation.toml * Update persistence_linux_backdoor_user_creation.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit a76a375)

Aegrah added 2 commits February 21, 2024 10:58

[Tuning] Linux DR Tuning - Part 10

7e93ca6

updated_date bump

f07e2a2

Aegrah added OS: Linux Rule: Tuning tweaking or tuning an existing rule Domain: Endpoint backport: auto Area: RAD Team: TRADE labels Feb 21, 2024

Aegrah requested review from w0rk3r, DefSecSentinel, shashank-elastic and terrancedejesus February 21, 2024 09:59

Aegrah self-assigned this Feb 21, 2024

shashank-elastic previously requested changes Feb 21, 2024

View reviewed changes

rules/linux/persistence_kworker_file_creation.toml Outdated Show resolved Hide resolved

Update persistence_kworker_file_creation.toml

9cd50bd

Aegrah requested a review from shashank-elastic February 21, 2024 12:55

Aegrah mentioned this pull request Feb 21, 2024

[Meta] Linux Tuning & Index Pattern Checks #3428

Closed

Update persistence_linux_backdoor_user_creation.toml

282bc74

DefSecSentinel approved these changes Mar 5, 2024

View reviewed changes

Merge branch 'main' into linux-dr-tuning-10

b864ca4

w0rk3r approved these changes Mar 6, 2024

View reviewed changes

Aegrah added 2 commits March 7, 2024 09:35

Merge branch 'main' into linux-dr-tuning-10

055f095

Merge branch 'main' into linux-dr-tuning-10

9be9d80

Aegrah merged commit a76a375 into main Mar 7, 2024
14 checks passed

Aegrah deleted the linux-dr-tuning-10 branch March 7, 2024 10:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Tuning] Linux DR Tuning - Part 10 #3462

[Tuning] Linux DR Tuning - Part 10 #3462

Aegrah commented Feb 21, 2024

shashank-elastic left a comment

DefSecSentinel left a comment

w0rk3r Mar 6, 2024

[Tuning] Linux DR Tuning - Part 10 #3462

[Tuning] Linux DR Tuning - Part 10 #3462

Conversation

Aegrah commented Feb 21, 2024

Summary

shashank-elastic left a comment

Choose a reason for hiding this comment

DefSecSentinel left a comment

Choose a reason for hiding this comment

w0rk3r Mar 6, 2024

Choose a reason for hiding this comment