[Meta] Linux Tuning & Index Pattern Checks

[Aegrah]

Meta Summary

Many of the new Linux rules currently do not leverage all potential indices. While doing performance analysis and tuning, my second goal is to ensure that the rules compatible with other data sources, thus (endgame, auditbeat, auditd_manager) will be added to the rule index list.

Estimated Time to Complete

3 - 5 days, depending on how much time is being spent on it. This meta will be one that can be worked at whenever some additional time is available.

Notes

This round of tuning does not only focus on FP/TP analysis, but also on:

• Compatibility;
• Performance.

Tasklist

### Meta Tasks
- [x] Linux Detection Rules Tuning PR
- [x] Linux Cross-Platform Tuning PR
- [x] Linux Building Block Rules Tuning PR
- [x] Linux Building Block Rules Promotion PR
- [x] Linux Endpoint Rules Tuning PR
- [x] Linux Endpoint Rules Promotion PR

### Pull Requests to Enable Tuning or Add Compatibility
- [ ] https://github.com/elastic/detection-rules/pull/3430
- [ ] https://github.com/elastic/detection-rules/pull/3451
- [ ] https://github.com/elastic/detection-rules/pull/3471
- [ ] https://github.com/elastic/detection-rules/pull/3495

### Linux DR Tuning Pull Requests
- [ ] https://github.com/elastic/detection-rules/pull/3452
- [ ] https://github.com/elastic/detection-rules/pull/3453
- [ ] https://github.com/elastic/detection-rules/pull/3454
- [ ] https://github.com/elastic/detection-rules/pull/3455
- [ ] https://github.com/elastic/detection-rules/pull/3456
- [ ] https://github.com/elastic/detection-rules/pull/3457
- [ ] https://github.com/elastic/detection-rules/pull/3458
- [ ] https://github.com/elastic/detection-rules/pull/3460
- [ ] https://github.com/elastic/detection-rules/pull/3461
- [ ] https://github.com/elastic/detection-rules/pull/3462
- [ ] https://github.com/elastic/detection-rules/pull/3463
- [ ] https://github.com/elastic/detection-rules/pull/3464
- [ ] https://github.com/elastic/detection-rules/pull/3465
- [ ] https://github.com/elastic/detection-rules/pull/3467

### Linux Cross-Platform Tuning Pull Requests
- [ ] https://github.com/elastic/detection-rules/pull/3468

### Linux BBR Tuning & Promotion Pull Requests
- [ ] https://github.com/elastic/detection-rules/pull/3469
- [ ] https://github.com/elastic/detection-rules/pull/3470
- [ ] https://github.com/elastic/detection-rules/pull/3472

### Linux ER Tuning & Promotion Pull Requests
- [ ] https://github.com/elastic/endpoint-rules/pull/3336
- [ ] https://github.com/elastic/endpoint-rules/pull/3337

[Aegrah]

Setup

In order to integrate auditd_manager seamlessly, we prepared for this issue by getting #3430 in. This PR removes the check for the event.action == "auditd_manager.auditd", allowing us to make the rules compatible.

In #3451 the event.action field was removed from all auditd_manager queries, and the "Data Source: Auditd Manager" tag was added.

[Aegrah]

Rules that require additional research & tuning

• discovery_virtual_machine_fingerprinting.toml
• execution_remote_code_execution_via_postgresql.toml
• execution_shell_evasion_linux_binary.toml
• execution_shell_via_java_revshell_linux.toml
• execution_suspicious_executable_running_system_commands.toml
• credential_access_cookies_chromium_browsers_debugging.toml --> Should check specifically for exec rather than fork, maybe remove from cross-platform?

[Aegrah]

The above rule tunings have been merged. This round of rule tuning is finished.