Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Rule Tuning] Potential OpenSSH Backdoor Logging Activity #4248

Open
frconil opened this issue Nov 5, 2024 · 0 comments
Open

[Rule Tuning] Potential OpenSSH Backdoor Logging Activity #4248

frconil opened this issue Nov 5, 2024 · 0 comments
Assignees
Labels
Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Comments

@frconil
Copy link

frconil commented Nov 5, 2024

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_ssh_backdoor_log.toml

Rule Tuning Type

Data Quality - Ensuring integrity and quality of data used by detection rules.

Description

As currently defined, the rule uses these three index patterns to run:

  • auditbeat-*
    
  • logs-endpoint.events.*
    
  • endgame-*
    

This can cause issues when defining exceptions, as some fields are specific to logs-endpoint.events.file.

For instance specifying file.path — Which is explicitely queried as part of the rule definition — in a rule exception leads to the error:

This field is defined as different types across the following indices or is unmapped. This can cause unexpected query results.

Because the field doesn't exist for logs-endpoint.events.process or logs-endpoint.events.network.

Considering the original fields being queried in the rule definition being:

file 
host.os.type
event.type
process.executable
file.name
file.extension
file.path

Would it make sense to restrict the rule to the logs-endpoint.events.file-* pattern like we do for Suspicious Web Browser Sensitive File Access for instance?

Example Data

No response

@frconil frconil added Rule: Tuning tweaking or tuning an existing rule Team: TRADE labels Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Rule: Tuning tweaking or tuning an existing rule Team: TRADE
Projects
None yet
Development

No branches or pull requests

2 participants