elastic
diff --git a/‎rules/linux/execution_apt_binary.toml‎
Lines changed: 5 additions & 3 deletions b/‎rules/linux/execution_apt_binary.toml‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎rules/linux/execution_awk_binary_shell.toml‎
Lines changed: 3 additions & 2 deletions b/‎rules/linux/execution_awk_binary_shell.toml‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎rules/linux/execution_env_binary.toml‎
Lines changed: 5 additions & 4 deletions b/‎rules/linux/execution_env_binary.toml‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎rules/linux/execution_expect_binary.toml‎
Lines changed: 5 additions & 4 deletions b/‎rules/linux/execution_expect_binary.toml‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎rules/linux/execution_find_binary.toml‎
Lines changed: 4 additions & 3 deletions b/‎rules/linux/execution_find_binary.toml‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎rules/linux/execution_gcc_binary.toml‎
Lines changed: 4 additions & 3 deletions b/‎rules/linux/execution_gcc_binary.toml‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎rules/linux/execution_mysql_binary.toml‎
Lines changed: 5 additions & 4 deletions b/‎rules/linux/execution_mysql_binary.toml‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎rules/linux/execution_nice_binary.toml‎
Lines changed: 7 additions & 5 deletions b/‎rules/linux/execution_nice_binary.toml‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎rules/linux/execution_ssh_binary.toml‎
Lines changed: 5 additions & 4 deletions b/‎rules/linux/execution_ssh_binary.toml‎
Lines changed: 5 additions & 4 deletions
@@ -1,14 +1,16 @@
 [metadata]
 creation_date = "2022/02/24"
 maturity = "production"
-updated_date = "2022/03/17"
+updated_date = "2022/03/28"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies Linux binary apt/apt-get abuse to breakout out of restricted shells or environments by spawning an
-interactive system shell. This activity is not standard use with this binary for a user or system administrator. It
-indicates a potentially malicious actor attempting to improve the capabilities or stability of their access.
+interactive system shell. The apt utility allows us to manage installation and removal of softwares on Debian based
+Linux distributions and the activity of spawning shell is not a standard use of this binary for a user or system
+administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their
+access.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
 
@@ -1,13 +1,14 @@
 [metadata]
 creation_date = "2022/02/24"
 maturity = "production"
-updated_date = "2022/03/17"
+updated_date = "2022/03/28"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies Linux binary awk abuse to breakout out of restricted shells or environments by spawning an interactive system
-shell. This activity is not standard use with this binary for a user or system administrator. It indicates a potentially
+shell. The awk utility is a text processing language used for data extraction and reporting tools and the activity of
+spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially
 malicious actor attempting to improve the capabilities or stability of their access.
 """
 from = "now-9m"
 
@@ -1,14 +1,15 @@
 [metadata]
 creation_date = "2022/02/24"
 maturity = "production"
-updated_date = "2022/03/17"
+updated_date = "2022/03/28"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell.This
-activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious
-actor attempting to improve the capabilities or stability of their access
+Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell.The
+env utility is a shell command for Unix like OS which is used to print a list of environment variables and the activity
+of spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially
+malicious actor attempting to improve the capabilities or stability of their access
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
 
@@ -1,14 +1,15 @@
 [metadata]
 creation_date = "2022/03/07"
 maturity = "development"
-updated_date = "2022/03/17"
+updated_date = "2022/03/28"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies Linux binary expect abuse to break out from restricted environments by spawning an interactive system shell
-This activity is not standard use with this binary for a user or system administrator and could potentially indicate
-malicious actor attempting to improve the capabilities or stability of their access.
+Identifies Linux binary expect abuse to break out from restricted environments by spawning an interactive system shell.
+The expect utility allows us to automate control of interactive applications such as telnet,ftp,ssh and others and the
+activity of spawning shell is not a standard use of this binary for a user or system administrator and could potentially
+indicate malicious actor attempting to improve the capabilities or stability of their access.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
 
@@ -1,14 +1,15 @@
 [metadata]
 creation_date = "2022/02/28"
 maturity = "production"
-updated_date = "2022/03/17"
+updated_date = "2022/03/28"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell.
-This activity is not standard use with this binary for a user or system administrator. It indicates a potentially
-malicious actor attempting to improve the capabilities or stability of their access.
+The find command in Unix is a command line utility for walking a file hirerarchy and the activity of spawning shell is
+not a standard use of this binary for a user or system administrator.It indicates a potentially malicious actor
+attempting to improve the capabilities or stability of their access.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
 
@@ -1,13 +1,14 @@
 [metadata]
 creation_date = "2022/03/09"
 maturity = "production"
-updated_date = "2022/03/17"
+updated_date = "2022/03/28"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies Linux binary gcc abuse to break out from restricted environments by spawning an interactive system shell.This
-activity is not standard use with this binary for a user or system administrator and could potentially indicate
+Identifies Linux binary gcc abuse to break out from restricted environments by spawning an interactive system shell.The
+gcc utility is a complier system for various languages and mainly used to complie C and C++ programs and the activity of
+spawning shell is not a standard use of this binary for a user or system administrator.It indicates a potentially
 malicious actor attempting to improve the capabilities or stability of their access.
 """
 from = "now-9m"
 
@@ -1,14 +1,15 @@
 [metadata]
 creation_date = "2022/03/09"
 maturity = "production"
-updated_date = "2022/03/17"
+updated_date = "2022/03/28"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell.This
-activity is not standard use with this binary for a user or system administrator and could potentially indicate
-malicious actor attempting to improve the capabilities or stability of their access.
+Identifies MySQL server abuse to break out from restricted environments by spawning an interactive system shell.The
+MySQL is an open source relational database management system and the activity of spawning shell is not a standard use
+of this binary for a user or system administrator.It indicates a potentially malicious actor attempting to improve the
+capabilities or stability of their access.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
 
@@ -1,14 +1,16 @@
 [metadata]
 creation_date = "2022/03/07"
 maturity = "development"
-updated_date = "2022/03/17"
+updated_date = "2022/03/28"
 
 [rule]
 author = ["Elastic"]
-description = """
-Identifies Linux binary nice abuse to break out from restricted environments by spawning an interactive system shell.This
-activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious
-actor attempting to improve the capabilities or stability of their access
+description = """
+Identifies Linux binary nice abuse to break out from restricted environments by spawning an interactive system shell.The
+nice command is used to invoke a utility or a shell script with a particular CPU priority, thus giving the process more
+or less CPU and the activity of spawning shell is not a standard use of this binary for a user or system
+administrator.It indicates a potentially malicious actor attempting to improve the capabilities or stability of their
+access.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
 
@@ -1,14 +1,15 @@
 [metadata]
 creation_date = "2022/03/10"
 maturity = "production"
-updated_date = "2022/03/17"
+updated_date = "2022/03/28"
 
 [rule]
 author = ["Elastic"]
 description = """
-Identifies Linux binary ssh abuse to break out from restricted environments by spawning an interactive system shell.This
-activity is not standard use with this binary for a user or system administrator and could potentially indicate
-malicious actor attempting to improve the capabilities or stability of their access.
+Identifies Linux binary ssh abuse to break out from restricted environments by spawning an interactive system shell.The
+ssh is a network protocol that gives users,particularly system administrators a secure way to access a computer over a
+network and the activity of spawning shell is not a standard use of this binary for a user or system administrator.It
+indicates a potentially malicious actor attempting to improve the capabilities or stability of their access.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]