Skip to content

[Rule tuning] existing hpining and strace activity rule. #2028

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jun 16, 2022
Merged

[Rule tuning] existing hpining and strace activity rule. #2028

merged 6 commits into from
Jun 16, 2022

Conversation

shashank-elastic
Copy link
Contributor

@shashank-elastic shashank-elastic commented Jun 13, 2022
edited
Loading

Issues

#2027

Summary

  1. For Rule 1 in consideration already MITRE details have been added as part of [Rule Tuning] Add MITRE Details to exisisting hpining activity rule. #2012. This issue tracks the following changes in the description and query changes from KQL to EQL.
    -- This won't be done as it was rejected in review for having no impact.
  2. For Rule 2 in consideration, the issue tracks MITRE details, and description changes.

Contributor checklist

@shashank-elastic shashank-elastic added this to the 8.4 milestone Jun 13, 2022
@shashank-elastic shashank-elastic self-assigned this Jun 13, 2022
@brokensound77 brokensound77 changed the title [Issue 2027] Rule tuning of existing hpining and strace activity rule. [Rule tuning] existing hpining and strace activity rule. Jun 14, 2022
@brokensound77 brokensound77 added the Rule: Tuning tweaking or tuning an existing rule label Jun 14, 2022
brokensound77
brokensound77 reviewed Jun 14, 2022
View reviewed changes
Copy link
Contributor

@brokensound77 brokensound77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would these need to be converted to EQL rules?

w0rk3r
w0rk3r previously requested changes Jun 14, 2022
View reviewed changes
Copy link
Contributor

@w0rk3r w0rk3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++, if we are not using sequences here, the type conversion is not needed

@shashank-elastic
Copy link
Contributor Author

@brokensound77 / @w0rk3r We were under the impression EQL had performance benefits over KQL and that we would want to unify our rules but if that's not the case then I guess we will leave them and just tune as is.

@brokensound77
Copy link
Contributor

@brokensound77 / @w0rk3r We were under the impression EQL had performance benefits over KQL and that we would want to unify our rules but if that's not the case then I guess we will leave them and just tune as is.

Yea, in this case, there is no benefit, so I think we are ok to close.

@shashank-elastic
Copy link
Contributor Author

@brokensound77 --> The PR contains MITRE details addition along with query changes, we can revert the query alone and keep the PR open to judge the other aspects.!

@shashank-elastic
Copy link
Contributor Author

I will be reverting query changes alone!

@shashank-elastic
Copy link
Contributor Author

@brokensound77 / @w0rk3r the query changes are reverted please review the other tuning details.

Mikaayenson
Mikaayenson approved these changes Jun 15, 2022
View reviewed changes
Copy link
Contributor

@Mikaayenson Mikaayenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

imays11
imays11 approved these changes Jun 15, 2022
View reviewed changes
Copy link
Contributor

@imays11 imays11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@shashank-elastic shashank-elastic dismissed w0rk3r’s stale review June 15, 2022 17:26

Changes were requested for an older version of PR. Those changes were already reverted in this PR

@shashank-elastic shashank-elastic merged commit 2ee23bd into main Jun 16, 2022
@shashank-elastic shashank-elastic deleted the issue-2027 branch June 16, 2022 11:48
protectionsmachine pushed a commit that referenced this pull request Jun 16, 2022
@shashank-elastic @github-actions
[Rule tuning] existing strace activity rule. (#2028)
69237c4 
* Update description and MITTRE Attack details

(cherry picked from commit 2ee23bd)
protectionsmachine pushed a commit that referenced this pull request Jun 16, 2022
@shashank-elastic @github-actions
[Rule tuning] existing strace activity rule. (#2028)
1a9a78a 
* Update description and MITTRE Attack details

(cherry picked from commit 2ee23bd)
protectionsmachine pushed a commit that referenced this pull request Jun 16, 2022
@shashank-elastic @github-actions
[Rule tuning] existing strace activity rule. (#2028)
7946f8d 
* Update description and MITTRE Attack details

(cherry picked from commit 2ee23bd)
protectionsmachine pushed a commit that referenced this pull request Jun 16, 2022
@shashank-elastic @github-actions
[Rule tuning] existing strace activity rule. (#2028)
bd7b2f3 
* Update description and MITTRE Attack details

(cherry picked from commit 2ee23bd)
protectionsmachine pushed a commit that referenced this pull request Jun 16, 2022
@shashank-elastic @github-actions
[Rule tuning] existing strace activity rule. (#2028)
3e03f7c 
* Update description and MITTRE Attack details

(cherry picked from commit 2ee23bd)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@imays11 imays11 imays11 approved these changes

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@Samirbous Samirbous Awaiting requested review from Samirbous

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@brokensound77 brokensound77 Awaiting requested review from brokensound77

Assignees

@shashank-elastic shashank-elastic

Labels
backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule v8.4.0
Projects
None yet
Milestone
8.4
Development

Successfully merging this pull request may close these issues.
5 participants
@shashank-elastic @brokensound77 @Mikaayenson @w0rk3r @imays11