fix(rules/linux): correct detection fields, dedup & adversary on 27 validated Linux rules#2269
Conversation
…7 Linux rules Validated by firing real telemetry on a live Linux agent (auditd + journald normalization). Three classes of issues were fixed; only detection logic / grouping / adversary changed — impact, category, technique, description and references are preserved. - Wrong field for command execution: command lines are in `origin.command` (auditd execve), not `log.message` (only `sudo` echoes a command into journald). Rules matching `log.message` missed unprivileged execution → switched to `origin.command` / `origin.process` / `log.execve.a0`. - Non-existent `log.process` (it is `origin.process`) on several rules. - Duplicate-alert spam: `groupBy` used `origin.ip`/`origin.user`/`origin.host`, all empty on the agent's execve telemetry → grouping disabled → one alert per event. Switched to `deduplicateBy: [dataSource]` (the only always-populated host key). Measured: a burst that produced 79/158 alerts now produces ~1-2. - Empty adversary: netcat (427) and earthworm (441) used `adversary: target`, but `target.*` is empty on local Linux events → set `adversary: origin`. - Brute-force (423): rewrote `where` to detect failed auth and re-pointed the `afterEvents` threshold to correlate by the populated `dataSource`. Each fixed rule was deployed to a live SIEM and confirmed firing on a real payload generated on the agent. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
❌ Go dependencies check failedThere are outdated Go dependencies, or modules that could not be inspected. Script output |
✅ AI review — ApprovedNo issues detected in this diff. ✅
|
⛔ Permission deniedOnly members of @utmstack/administrators or @utmstack/core-developers can merge PRs into this repository. PR author: @rvald26 The comments above (deps + AI review) are still valid — if you address them, the checks will re-run automatically, but final approval is left to an administrator. @utmstack/administrators please review. |
Summary
Fixes the detection logic, alert deduplication, and adversary attribution of 27 Linux (
rules/linux/) correlation rules. Every changed rule was validated by firing real telemetry on a live UTMStack Linux agent and confirming the alert in the SIEM. Onlywhere/ grouping /adversarywere changed —impact,category,technique,description,referencesare preserved.Root causes (all from how the Linux agent normalizes auditd)
The agent feeds
v11-log-linux-*from auditd (structured fields; command line inorigin.command; nolog.message) and journald (log.message, noaction). This broke four classes of rule logic:origin.command(auditdexecve), notlog.message— a command only reacheslog.messagewhen run viasudo(which echoes… COMMAND=…to journald). So rules matchinglog.messagefor command detection fired only for privileged/sudo runs and missed unprivileged execution. → switched toorigin.command(andorigin.process/log.execve.a0where appropriate, e.g. process-masquerading detects a spoofedargv[0]kernel-thread name inlog.execve.a0).log.process(the field isorigin.process) — used by several persistence rules.groupByusedorigin.ip/origin.user/origin.host, which are empty on the agent's execve telemetry → grouping is disabled → one alert per event (a single action produced 79–158 alerts). → switched todeduplicateBy: [dataSource](the only always-populated host key). Measured after the fix: the same bursts collapse to ~1–2 alerts per host (e.g. 79→2, 158→1).file_transfer_or_listener_established_via_netcat) and EarthWorm (tunneling_via_earthworm) usedadversary: target, buttarget.*is empty on local Linux events → the alert had no adversary. → setadversary: originso it is populated fromorigin.process/origin.command.Brute-force (
bruteforce_attack) additionally rewriteswhereto detect failed auth (Failed password/USER_AUTHfailure) and re-points itsafterEventsthreshold to correlate by the populateddataSource(the original correlated byorigin.user/log.hostId, which are empty).Validation
Each of the 27 rules was deployed to a live SIEM and confirmed firing on a real payload generated on a Linux agent; the dedup change was verified to collapse a multi-event burst to a single alert per host. Full methodology, telemetry model, and per-rule results are documented in the workshop validation notes.
Scope
These are the 27 rules whose shipped logic could not fire (or duplicated) on the agent's auditd/journald telemetry. The remaining
rules/linux/rules either already fire as-shipped or target platforms not exercised here (RHEL/OpenShift/SELinux/Secure Boot, kernel-fault telemetry) and are left unchanged.🤖 Generated with Claude Code