LoFP LoFP / cross-platform

cross-platform rule

TitleTags
approved third-party applications that use google drive download urls.
certain tools or automated software may enumerate hardware information. these tools can be exempted via user name or process arguments to eliminate potential noise.
changes to the shell profile tend to be noisy, a tuning per your environment will be required.
developers performing browsers plugin or extension debugging.
endpoint security installers, updaters and post installation verification scripts.
false positives can occur because the rules may be mapped to a few mitre att&ck tactics. use the attached timeline to determine which detections were triggered on the host.
false positives can occur with generic built-in accounts, such as administrator, admin, etc. if they are widespread used in your environment. as a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business activity, or an upcoming incident.
legitimate publicly shared files from google drive.
legitimate use of the `sendcommand` api call to execute commands on ec2 instances using the ssm service may be done by system administrators or devops engineers for legitimate purposes.
ssh over ports apart from the traditional port 22 is highly uncommon. this rule alerts the usage of the such uncommon ports by the ssh service. tuning is needed to have higher confidence. if this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such legitimate ssh activities.
this is meant to run only on datasources using elastic agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives.
this rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the sudo or sudoedit binaries. only sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive.
this rule is not looking for threat activity. disable the rule if you're already familiar with alerts.
trusted system module updates or allowed pluggable authentication module (pam) daemon configuration changes.