[D4C Conversion] Converting Compatible D4C Rules to DR #4532
+1,218
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Aegrah
added
OS: Linux
Rule: Tuning
Rule: Tuning - GuidelinesThese guidelines serve as a reminder set of considerations when tuning an existing rule. Documentation and Context
Rule Metadata Checks
Testing and Validation
|
|
⛔️ Tests failed:
|
|
⛔️ Tests failed:
|
…tection-rules into convert-d4c-to-defend
|
⛔️ Tests failed:
|
|
⛔️ Tests failed:
|
Aegrah
requested review from
Mikaayenson,
w0rk3r,
imays11,
shashank-elastic and
terrancedejesus
|
@Aegrah would push this as BBRs first make sense? Adoption of the endpoint is higher than what we had with D4C, so we can make sure we are not pushing additional noise, while we validate how reliable the fields we didn't use in other rules yet are |
|
@w0rk3r I have nothing against moving them to BBR first for a cycle. However, based on the telem available currently, I think none of these rules will be prone to large bulks of FPs. I don't think it's necessary, but at the same time, if we want to minimize the potential risk of pushing a potentially noisy rule, I can make the change! Any thoughts @imays11? |
imays11
approved these changes
Mar 12, 2025
rules/linux/execution_container_management_binary_launched_inside_container.toml
Outdated
Show resolved
Hide resolved
rules/linux/privilege_escalation_debugfs_launched_inside_container.toml
Outdated
Show resolved
Hide resolved
rules/linux/privilege_escalation_debugfs_launched_inside_container.toml
Outdated
Show resolved
Hide resolved
rules/linux/privilege_escalation_mount_launched_inside_container.toml
Outdated
Show resolved
Hide resolved
rules/linux/privilege_escalation_mount_launched_inside_container.toml
Outdated
Show resolved
Hide resolved
…ide_container.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
…iner.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
…iner.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
…er.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
|
⛔️ Tests failed:
|
…er.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
|
⛔️ Tests failed:
|
|
⛔️ Tests failed:
|
|
⛔️ Tests failed:
|
|
⛔️ Tests failed:
|
|
Thanks for the thorough review @imays11. If this one does not get the approvals necessary to merge prior to my PTO, feel free to merge it before the next release @shashank-elastic! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR converts all compatible D4C rules to DR. Please review the rules carefully, and also the investigation guides. Any references to specific fields that are unavailable in Defend are removed from the investigation guides. However, this was manual work, thus, please review it carefully.
Conversion constraints
process.entry_leader.entry_meta.type == "container"field, onlyprocessrules were converted, asfileandnetworkevents do not contain this field.container.security_context.privilegedfield is unavailable, thus, rules relying on privileged container scenarios were converted without this field set totrue. Given the low-volume occurrences of these events, this should not be an issue.