Meta Summary

Many of the new Linux rules currently do not leverage all potential indices. While doing performance analysis and tuning, my second goal is to ensure that the rules compatible with other data sources, thus (endgame, auditbeat, auditd_manager) will be added to the rule index list.

Estimated Time to Complete

3 - 5 days, depending on how much time is being spent on it. This meta will be one that can be worked at whenever some additional time is available.

Notes

This round of tuning does not only focus on FP/TP analysis, but also on:

• Compatibility;
• Performance.

Tasklist

Setup

In order to integrate auditd_manager seamlessly, we prepared for this issue by getting #3430 in. This PR removes the check for the event.action == "auditd_manager.auditd", allowing us to make the rules compatible.

In #3451 the event.action field was removed from all auditd_manager queries, and the "Data Source: Auditd Manager" tag was added.

Rules that require additional research & tuning

• discovery_virtual_machine_fingerprinting.toml
• execution_remote_code_execution_via_postgresql.toml
• execution_shell_evasion_linux_binary.toml
• execution_shell_via_java_revshell_linux.toml
• execution_suspicious_executable_running_system_commands.toml
• credential_access_cookies_chromium_browsers_debugging.toml --> Should check specifically for exec rather than fork, maybe remove from cross-platform?

The above rule tunings have been merged. This round of rule tuning is finished.