[Rule Tuning] Potential OpenSSH Backdoor Logging Activity

[frconil]

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_ssh_backdoor_log.toml

Rule Tuning Type

Data Quality - Ensuring integrity and quality of data used by detection rules.

Description

As currently defined, the rule uses these three index patterns to run:

• auditbeat-*
  

• logs-endpoint.events.*
  

• endgame-*
  

This can cause issues when defining exceptions, as some fields are specific to logs-endpoint.events.file.

For instance specifying file.path — Which is explicitely queried as part of the rule definition — in a rule exception leads to the error:

This field is defined as different types across the following indices or is unmapped. This can cause unexpected query results.

Because the field doesn't exist for logs-endpoint.events.process or logs-endpoint.events.network.

Considering the original fields being queried in the rule definition being:

file 
host.os.type
event.type
process.executable
file.name
file.extension
file.path

Would it make sense to restrict the rule to the logs-endpoint.events.file-* pattern like we do for Suspicious Web Browser Sensitive File Access for instance?

Example Data

No response