fix(rules/linux): correct detection fields, dedup & adversary on 27 validated Linux rules#2268
Closed
rvald26 wants to merge 1 commit into
Closed
Conversation
…7 Linux rules Validated by firing real telemetry on a live Linux agent (auditd + journald normalization). Three classes of issues were fixed; only detection logic / grouping / adversary changed — impact, category, technique, description and references are preserved. - Wrong field for command execution: command lines are in `origin.command` (auditd execve), not `log.message` (only `sudo` echoes a command into journald). Rules matching `log.message` missed unprivileged execution → switched to `origin.command` / `origin.process` / `log.execve.a0`. - Non-existent `log.process` (it is `origin.process`) on several rules. - Duplicate-alert spam: `groupBy` used `origin.ip`/`origin.user`/`origin.host`, all empty on the agent's execve telemetry → grouping disabled → one alert per event. Switched to `deduplicateBy: [dataSource]` (the only always-populated host key). Measured: a burst that produced 79/158 alerts now produces ~1-2. - Empty adversary: netcat (427) and earthworm (441) used `adversary: target`, but `target.*` is empty on local Linux events → set `adversary: origin`. - Brute-force (423): rewrote `where` to detect failed auth and re-pointed the `afterEvents` threshold to correlate by the populated `dataSource`. Each fixed rule was deployed to a live SIEM and confirmed firing on a real payload generated on the agent. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Superseded by #2269 — recreated from a branch in utmstack/UTMStack (not a fork) so it targets v11 directly. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the detection logic, alert deduplication, and adversary attribution of 27 Linux (
rules/linux/) correlation rules. Every changed rule was validated by firing real telemetry on a live UTMStack Linux agent and confirming the alert in the SIEM. Onlywhere/ grouping /adversarywere changed —impact,category,technique,description,referencesare preserved.Root causes (all from how the Linux agent normalizes auditd)
The agent feeds
v11-log-linux-*from auditd (structured fields; command line inorigin.command; nolog.message) and journald (log.message, noaction). This broke four classes of rule logic:origin.command(auditdexecve), notlog.message— a command only reacheslog.messagewhen run viasudo(which echoes… COMMAND=…to journald). So rules matchinglog.messagefor command detection fired only for privileged/sudo runs and missed unprivileged execution. → switched toorigin.command(andorigin.process/log.execve.a0where appropriate, e.g. process-masquerading detects a spoofedargv[0]kernel-thread name inlog.execve.a0).log.process(the field isorigin.process) — used by several persistence rules.groupByusedorigin.ip/origin.user/origin.host, which are empty on the agent's execve telemetry → grouping is disabled → one alert per event (a single action produced 79–158 alerts). → switched todeduplicateBy: [dataSource](the only always-populated host key). Measured after the fix: the same bursts collapse to ~1–2 alerts per host (e.g. 79→2, 158→1).file_transfer_or_listener_established_via_netcat) and EarthWorm (tunneling_via_earthworm) usedadversary: target, buttarget.*is empty on local Linux events → the alert had no adversary. → setadversary: originso it is populated fromorigin.process/origin.command.Brute-force (
bruteforce_attack) additionally rewriteswhereto detect failed auth (Failed password/USER_AUTHfailure) and re-points itsafterEventsthreshold to correlate by the populateddataSource(the original correlated byorigin.user/log.hostId, which are empty).Validation
Each of the 27 rules was deployed to a live SIEM and confirmed firing on a real payload generated on a Linux agent; the dedup change was verified to collapse a multi-event burst to a single alert per host. Full methodology, telemetry model, and per-rule results are documented in the workshop validation notes.
Scope
These are the 27 rules whose shipped logic could not fire (or duplicated) on the agent's auditd/journald telemetry. The remaining
rules/linux/rules either already fire as-shipped or target platforms not exercised here (RHEL/OpenShift/SELinux/Secure Boot, kernel-fault telemetry) and are left unchanged.🤖 Generated with Claude Code