Skip to content

Conversation

Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Oct 17, 2025

Summary

This PR adds 3rd party EDR compatibility of CrowdStrike to all Linux process category rules.

@Aegrah Aegrah self-assigned this Oct 17, 2025
@Aegrah Aegrah added OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE labels Oct 17, 2025
@botelastic botelastic bot added bbr Building Block Rules Domain: Endpoint labels Oct 17, 2025
Copy link
Contributor

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

@tradebot-elastic
Copy link

tradebot-elastic commented Oct 17, 2025

⛔️ Test failed

Results
  • ❌ Interactive Terminal Spawned via Perl (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Node.js Pre or Post-Install Script Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Shell via Wildcard Injection Detected (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Kubectl Permission Discovery (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Hex Payload Execution via Command-Line (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ AWS CLI Command with Custom Endpoint URL (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Kernel Feature Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual SSHD Child Process (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Pluggable Authentication Module (PAM) Source Download (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ IPv4/IPv6 Forwarding Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Chroot Container Escape via Mount (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Virtual Machine Fingerprinting (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Base64 Decoded Payload Piped to Interpreter (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Memory Swap Modification (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Unusual Execution from Kernel Thread (kthreadd) Parent (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Termination of ESXI Process (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ High Number of Process Terminations (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Privilege Escalation through Writable Docker Socket (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Named Pipe Creation (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious APT Package Manager Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Linux Telegram API Request (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Data Exfiltration Through Curl (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Curl or Wget Spawned via Node.js (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Git Hook Command Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ GitHub Authentication Token Access via Node.js (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Printer User (lp) Shell Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport: auto bbr Building Block Rules Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants