[Rule Tuning] Remote File Creation in World Writeable Directory #5303
Description
Link to Rule
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
False positive on Ansible activity using scp (uses sftp)
Info
- process.executable: /usr/libexec/openssh/sftp-server
- file.path: /var/tmp/ansible-tmp-1754898536.2272522-609-146892182032861/source
Example Data
Alert data
_id: 958a4ff61bc04abbd9376f62ec29d22c69756e469039b98022d2da4eb3950c7a
_index: .internal.alerts-security.alerts-default-000002
_score: 1
fields:
'@timestamp':
- '2025-08-11T07:50:17.161Z'
data_stream.dataset:
- endpoint.events.file
data_stream.namespace:
- <redacted>
event.action:
- creation
event.category:
- file
event.created:
- '2025-08-11T07:48:57.279Z'
event.dataset:
- endpoint.events.file
event.id:
- O5xnsu1YZeXs7Wvt+++3S/Te
event.ingested:
- '2025-08-11T07:49:19.000Z'
event.sequence:
- 41979949
file.name:
- source
file.path:
- /var/tmp/ansible-tmp-1754898536.2272522-609-146892182032861/source
file.path.text:
- /var/tmp/ansible-tmp-1754898536.2272522-609-146892182032861/source
group.Ext.real.id:
- '1001'
group.Ext.real.name:
- <redacted>
group.id:
- '1001'
group.name:
- <redacted>
host.id:
- 05ad1e30f47c465a981ea48d0d84d7fd
host.name:
- <redacted>
host.os.type:
- linux
message:
- Endpoint file event
process.executable:
- /usr/libexec/openssh/sftp-server
process.executable.text:
- /usr/libexec/openssh/sftp-server
process.name:
- sftp-server
process.name.text:
- sftp-server
process.pid:
- 2619533
user.Ext.real.id:
- '1000'
user.Ext.real.name:
- opc
user.id:
- '1000'
user.name:
- <redacted>
user.name.text:
- <redacted>