We’ve received large numbers of alerts from Linux endpoints where standard rule exeptions don’t work due to the fact that the logged process.executable path starts with a . rather than /, which affect multiple rules. Looks like this
process.executable "./usr/bin/podman" while the rule exception is "/usr/bin/podman".
We’ve had to create rule exceptions to 5+ rules to mitigate but it really looks like a bug - presumably in the agent. We’re still on 9.1.4 and noticed that 9.1.5 just came out, no release notes available though so not sure what’s being fixed.
Hi @michael-a, that bug is fixed in 9.1.3. When you say you’re seeing it in 9.1.4 do you mean 9.1.4 Kibana or 9.1.4 Elastic Agent? The fix was in the Endpoint binary that Agent runs on the host generating the data so you’ll need to upgrade to an 9.1.3+ Elastic Agent to pick up the fix.
Hi @ferullo and thanks for the quick reply, just checking and as far as I can tell we have it on at least a handful of clients with agent 9.1.4 (backend i e Kibana is also 9.1.4 btw), hitting multiple rules i e
Shell Configuration Creation or Modification
Creation or Modification of Pluggable Authentication Module or Configuration
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.