[FR] Pre-Built Elastic Auditd Ruleset

[Aegrah]

Summary

The detection rules repository has multiple rules that require Auditd rules to work properly. The investigation guides contain the information needed to create the rule file, however, it would be convenient to have a full OOTB elastic Auditd ruleset available that contains all rules necessary to run all OOTB detection rules.

[lpeter91]

This is a great idea! However, I think this statement is a bit overly-optimistic: "The investigation guides contain the information needed to create the rule file".

These are the issues I originally came here to report, but I'm unsure if this is the right repository, so I'm just dropping them here for now:

• There are rules that have a generic paragraph about auditd, but no exact rule definitions. (If no additional rules are required than it should be stated explicitly.) Example: https://github.com/elastic/detection-rules/blob/22cf1f0cedc6ef693a4262eac61df8f495ff71da/rules/linux/defense_evasion_disable_selinux_attempt.toml
• There are rules that link the Auditd Manager integration, but say nothing about it in their setup guide. Example: https://github.com/elastic/detection-rules/blob/22cf1f0cedc6ef693a4262eac61df8f495ff71da/rules/linux/lateral_movement_ssh_it_worm_download.toml

I think there are a many rules with these issues, but I don't have exact numbers so I might be biased. But I do feel that as it currently stands these issues greatly limit the usefulness of the Auditd Manager integration for SIEM use. I think a general review of the related rules is warranted. Having an all inclusive ruleset out of the box on top of these would indeed be a great UX improvement.

[botelastic[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.