Skip to content

Commit

Permalink
[FR] Generate investigation guides (#4358)
Browse files Browse the repository at this point in the history
  • Loading branch information
Mikaayenson committed Jan 22, 2025
1 parent c280d6b commit f2627be
Show file tree
Hide file tree
Showing 14 changed files with 16 additions and 16 deletions.
2 changes: 1 addition & 1 deletion rules/linux/discovery_polkit_version_discovery.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
Expand Down
4 changes: 2 additions & 2 deletions rules/linux/execution_unusual_pkexec_execution.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,13 @@
creation_date = "2025/01/16"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
description = """
This rule detects the execution of the `pkexec` command by a shell process. The `pkexec` command is used to
execute programs as another user, typically as the superuser. Through the `new_terms` rule type, unusual
execute programs as another user, typically as the superuser. Through the `new_terms` rule type, unusual
executions of `pkexec` are identified, and may indicate an attempt to escalate privileges or perform
unauthorized actions on the system.
"""
Expand Down
2 changes: 1 addition & 1 deletion rules/linux/persistence_boot_file_copy.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
Expand Down
4 changes: 2 additions & 2 deletions rules/linux/persistence_dbus_service_creation.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -93,7 +93,7 @@ file.extension in ("service", "conf") and file.path like~ (
"install", "crio", "apt-get", "package-cleanup", "dcservice", "dcregister", "jumpcloud-agent", "executor"
) or
(process.name == "sed" and file.name : "sed*") or
(process.name == "perl" and file.name : "e2scrub_all.tmp*")
(process.name == "perl" and file.name : "e2scrub_all.tmp*")
)
'''
note = """## Triage and analysis
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
Expand Down
2 changes: 1 addition & 1 deletion rules/linux/persistence_extract_initramfs_via_cpio.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
Expand Down
2 changes: 1 addition & 1 deletion rules/linux/persistence_grub_configuration_creation.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
Expand Down
2 changes: 1 addition & 1 deletion rules/linux/persistence_grub_makeconfig.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
Expand Down
2 changes: 1 addition & 1 deletion rules/linux/persistence_manual_dracut_execution.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
Expand Down
2 changes: 1 addition & 1 deletion rules/linux/persistence_polkit_policy_creation.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2025/01/16"
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
Expand Down
2 changes: 1 addition & 1 deletion rules/linux/persistence_systemd_shell_execution.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2025/01/16"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_
maturity = "production"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
updated_date = "2025/01/15"
updated_date = "2025/01/22"

[rule]
author = ["Elastic"]
Expand Down

0 comments on commit f2627be

Please sign in to comment.