Ruben Groenewoud

icon indicating a website link https://www.rgrosec.com

icon company @elastic icon location Security research engineer at Elastic, focusing on Linux behavior-, signature- and ML-based detection engineering.

Results 7 comments of Ruben Groenewoud

Linux Telemetry Section

Nice start @tsale. You suggest driver/image load; I'm unsure whether this means shared object load and LKM load. Otherwise, an LKM load would be good to add. Certain syscalls are...

Review Linux and macOS rules for Endgame compatibility

@Mikaayenson I did this a few months ago, but many new rules were introduced since then, so some inconsistencies might have slipped through. It's never bad to check. It would...

Review Linux and macOS rules for Endgame compatibility

@w0rk3r did a great job also adding Endgame compatibility to the Linux rules in his 3rd party EDR initiative Meta: https://github.com/elastic/security-team/issues/8029#issuecomment-2578900206. Linux should, after merging all of these in, be...

[Rule Tuning] File Deletion via Shred

## Updated query Changed the query based on @w0rk3r's comment; proof of working logic:

[New Rule/Tuning] Linux User or Group Deletion/Creation

## Check compatibility These rules are also partially compatible with Auditd, Auditd Manager, and Auditbeat, I need to check setups for this and make these compatible. I will do this...

[Rule Tuning] Web Server Potential Spike in Error Response Codes

Hi @vx-sec thank you for bringing this to our attention! It indeed looks like the issue is related to not having data from both access logs and network packet capture...

[Rule Tuning] Web Server Potential Spike in Error Response Codes

@vx-sec, again, thank you for bringing this to our attention. Elasticsearch ES|QL validates all referenced fields against the combined mappings of every index in a multi-index FROM clause. Because some...