[Rule Tuning] Hosts File Modified - Githubissues

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html

Other

1.92k stars 492 forks source link

[Rule Tuning] Hosts File Modified #3956

Closed tehbooom closed 2 months ago

tehbooom commented 2 months ago

Link to Rule

https://github.com/elastic/detection-rules/blob/11636b159d88d25867ec75593ef5b9c4db647550/rules/cross-platform/impact_hosts_file_modified.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

Still seeing false positives for this rule when endpoint installed on GCE instances.

  /* process events for change targeting linux only */
  (
   event.category == "process" and event.type in ("start") and
     process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and
     process.args : ("/etc/hosts") and 
     not process.parent.name in ("dhclient-script", "google_set_hostname")
  )

Example Data

Im seeing a high number of alerts 1000+ a day

w0rk3r commented 2 months ago

I talked with @tehbooom via Slack. He shared an alert json, and the process.parent.name field is not populated, which causes the alert to still trigger. He is going to proceed with the Endpoint team to investigate why.