Closed DefSecSentinel closed 4 months ago
Sorry for copy&pasting but same applies here:
My opinion: I generally see that false positives are annoying when editing the host file via nano or vim, but I would argue that information that a host file was modified, even via a well known file editor, should still be alarmed. A threat actor could modify the file via the mentioned tools and nobody would ever know it. Nevertheless I am still on board for whitelisting the obvious FP.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
So, how was this handled?
Link to rule
https://github.com/elastic/detection-rules/blob/f04ebf277c08aa4a8f4cc5454fa8b60ede9126f7/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml#L12
Description
Tune to exclude FP process executable patterns. Excluding vim, vi, nano, pico, visudo, kandji-parameter-agent and jumpcloud-agent.