[Rule Tuning] Security File Access via Common Utilities

rules/linux/discovery_security_file_access_via_common_utility.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/11/04"
 integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/12"
 
 [rule]
 author = ["Elastic"]
@@ -96,27 +96,36 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "eql"
-
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
-  event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
-  process.name in ("cat", "grep", "less", "more", "strings", "awk", "find", "xargs") and
-  process.args like (
-    "/etc/security/*", "/etc/pam.d/*", "/etc/login.defs", "/lib/security/*", "/lib64/security/*",
-    "/usr/lib/security/*", "/usr/lib64/security/*", "/usr/lib/x86_64-linux-gnu/security/*",
-    "/home/*/.aws/credentials", "/home/*/.aws/config", "/home/*/.config/gcloud/*credentials.json",
-    "/home/*/.config/gcloud/configurations/config_default", "/home/*/.azure/accessTokens.json",
-    "/home/*/.azure/azureProfile.json"
-  ) and 
-not process.parent.name in ("wazuh-modulesd", "lynis")
+event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
+process.name in ("cat", "less", "more", "strings", "find", "xargs") and
+process.parent.executable != null and 
+process.args like (
+  "/etc/security/*", "/etc/pam.d/*", "/etc/login.defs", "/lib/security/*", "/lib64/security/*",
+  "/usr/lib/security/*", "/usr/lib64/security/*", "/usr/lib/x86_64-linux-gnu/security/*",
+  "/home/*/.aws/credentials", "/home/*/.aws/config", "/home/*/.config/gcloud/*credentials.json",
+  "/home/*/.config/gcloud/configurations/config_default", "/home/*/.azure/accessTokens.json",
+  "/home/*/.azure/azureProfile.json"
+) and not (
+  process.parent.name in ("wazuh-modulesd", "lynis") or
+  process.command_line in ("cat /etc/login.defs" , "cat /home/asterisk/.aws/credentials") or
+  ?process.parent.command_line in (
+    "/bin/sh /usr/sbin/lynis audit system --cronjob",
+    "/usr/bin/find -L /etc/security/limits.conf /etc/security/limits.d -type f -exec /usr/bin/cat {} ;",
+    "/usr/bin/find /etc/security/limits.conf /etc/security/limits.d -type f -exec /usr/bin/cat {} ;"
+  ) or
+  ?process.parent.args in ("/opt/imperva/ragent/bin/get_sys_resources.sh", "/usr/sbin/lynis", "./terra_linux.sh") or
+  process.args == "/usr/bin/coreutils" or
+  (process.parent.name == "pwsh" and process.parent.command_line like "*Evaluate-STIG*") or
+  ?process.parent.executable == "/usr/sap/audit_scripts/auto_audit_gral.sh"
+)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 
 [rule.threat.tactic]
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
-

rules/linux/privilege_escalation_netcon_via_sudo_binary.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/01/15"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/12/12"
 
 [rule]
 author = ["Elastic"]
@@ -57,7 +57,10 @@ tags = [
 type = "eql"
 query = '''
 sequence by host.id, process.entity_id with maxspan=5s
-  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec"]
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sudo" and not (
+    process.args == "su" or
+    process.command_line like ("sudo su*", "sudo ./opt/Limpar_ram.sh", "*BECOME-SUCCESS*")
+  )]
   [network where host.os.type == "linux" and event.type == "start" and
   event.action in ("connection_attempted", "ipv4_connection_attempt_event") and process.name == "sudo" and not (
     destination.ip == null or destination.ip == "0.0.0.0" or cidrmatch(