Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] Interactive Terminal Spawned via Python #2781

Merged
merged 6 commits into from
May 26, 2023
Merged

[Rule Tuning] Interactive Terminal Spawned via Python #2781

merged 6 commits into from
May 26, 2023

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented May 6, 2023

Summary

Brings #1649 back to life now that we support type changes

@w0rk3r w0rk3r added OS: Linux Rule: Tuning tweaking or tuning an existing rule Domain: Endpoint labels May 6, 2023
@w0rk3r w0rk3r self-assigned this May 6, 2023
Aegrah
Aegrah approved these changes May 7, 2023
View reviewed changes
Copy link
Contributor

@Aegrah Aegrah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unit testing fix and a potential change of readibility / less easy to bypass (as most shell equivalents in Linux end with sh). Other than that, LGTM

rules/linux/execution_python_tty_shell.toml Outdated Show resolved Hide resolved
rules/linux/execution_python_tty_shell.toml Outdated Show resolved Hide resolved
@w0rk3r @Aegrah
Apply suggestions from code review
b02fe9a 
Co-authored-by: Ruben Groenewoud <[email protected]>
@w0rk3r w0rk3r merged commit 0d5e25e into main May 26, 2023
@w0rk3r w0rk3r deleted the python_ch_type branch May 26, 2023 13:19
protectionsmachine pushed a commit that referenced this pull request May 26, 2023
@w0rk3r @github-actions
[Rule Tuning] Interactive Terminal Spawned via Python (#2781)
6be40d1 
* [Rule Tuning] Interactive Terminal Spawned via Python

* Update execution_python_tty_shell.toml

* Update execution_python_tty_shell.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <[email protected]>

---------

Co-authored-by: Ruben Groenewoud <[email protected]>

(cherry picked from commit 0d5e25e)
protectionsmachine pushed a commit that referenced this pull request May 26, 2023
@w0rk3r @github-actions
[Rule Tuning] Interactive Terminal Spawned via Python (#2781)
6f16b6b 
* [Rule Tuning] Interactive Terminal Spawned via Python

* Update execution_python_tty_shell.toml

* Update execution_python_tty_shell.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <[email protected]>

---------

Co-authored-by: Ruben Groenewoud <[email protected]>

(cherry picked from commit 0d5e25e)
protectionsmachine pushed a commit that referenced this pull request May 26, 2023
@w0rk3r @github-actions
[Rule Tuning] Interactive Terminal Spawned via Python (#2781)
9657974 
* [Rule Tuning] Interactive Terminal Spawned via Python

* Update execution_python_tty_shell.toml

* Update execution_python_tty_shell.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <[email protected]>

---------

Co-authored-by: Ruben Groenewoud <[email protected]>

(cherry picked from commit 0d5e25e)
protectionsmachine pushed a commit that referenced this pull request May 26, 2023
@w0rk3r @github-actions
[Rule Tuning] Interactive Terminal Spawned via Python (#2781)
1823b0a 
* [Rule Tuning] Interactive Terminal Spawned via Python

* Update execution_python_tty_shell.toml

* Update execution_python_tty_shell.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <[email protected]>

---------

Co-authored-by: Ruben Groenewoud <[email protected]>

(cherry picked from commit 0d5e25e)
protectionsmachine pushed a commit that referenced this pull request May 26, 2023
@w0rk3r @github-actions
[Rule Tuning] Interactive Terminal Spawned via Python (#2781)
8f4c72c 
* [Rule Tuning] Interactive Terminal Spawned via Python

* Update execution_python_tty_shell.toml

* Update execution_python_tty_shell.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <[email protected]>

---------

Co-authored-by: Ruben Groenewoud <[email protected]>

(cherry picked from commit 0d5e25e)
protectionsmachine pushed a commit that referenced this pull request May 26, 2023
@w0rk3r @github-actions
[Rule Tuning] Interactive Terminal Spawned via Python (#2781)
3dd8690 
* [Rule Tuning] Interactive Terminal Spawned via Python

* Update execution_python_tty_shell.toml

* Update execution_python_tty_shell.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <[email protected]>

---------

Co-authored-by: Ruben Groenewoud <[email protected]>

(cherry picked from commit 0d5e25e)
@okbud12
Copy link

okbud12 commented Jun 13, 2023

@w0rk3r the updated rule seems to be creating a lot of false positives. It is being triggered by services that perform health checks and configuration checks.

For example, OMS Agent in linux runs a python script which collects telemetry. This further spawns a bash shell that displays the process metrics.
Similarly, there are other more services related to Hadoop cluster monitoring that are creating same.

Not sure if this would be the ideal optimization but there could be a NOT process.command_line: (#All the commands to ignore) added in the query as well.

sequence with maxspan=1m
  [process where host.os.type == "linux" and event.type == "start" and process.name : "python*"] by process.entity_id
  [process where host.os.type == "linux" and event.type == "start" and 
   process.executable : "/bin/*sh"
   and process.command_line != " "
  ] by `process.parent.entity_id`

@w0rk3r
Copy link
Contributor Author

w0rk3r commented Jun 13, 2023

@okbud12, thanks for reporting, I'll take a look at it and push a tuning

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Aegrah Aegrah Aegrah approved these changes

@imays11 imays11 imays11 approved these changes

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson

@brokensound77 brokensound77 Awaiting requested review from brokensound77

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@Samirbous Samirbous Awaiting requested review from Samirbous

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

Assignees

@w0rk3r w0rk3r

Labels
backport: auto Domain: Endpoint OS: Linux Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@w0rk3r @okbud12 @imays11 @Aegrah