Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] Suspicious Web Browser Sensitive File Access #3721

Closed
ar3diu opened this issue May 30, 2024 · 2 comments · Fixed by #4029
Closed

[Rule Tuning] Suspicious Web Browser Sensitive File Access #3721

ar3diu opened this issue May 30, 2024 · 2 comments · Fixed by #4029
Assignees
@DefSecSentinel
Labels
community Rule: Tuning tweaking or tuning an existing rule

Comments

@ar3diu
Copy link
Contributor

ar3diu commented May 30, 2024
edited
Loading

Link to rule

detection-rules/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

Line 19 in 34294fb

name = "Suspicious Web Browser Sensitive File Access"

Description

When there are no endpoint file events in which process.Ext.effective_parent.executable exists, this rule returns an error.
image

In my limited dataset with macos endpoint events, process.Ext.effective_parent.executable is more often present in the process events.

A workaround would be to change the index pattern to logs-endpoint.*.

Example Data

N/A
@ar3diu ar3diu added the Rule: Tuning tweaking or tuning an existing rule label May 30, 2024
@botelastic
Copy link

botelastic bot commented Aug 2, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the stale 60 days of inactivity label Aug 2, 2024
@botelastic
Copy link

botelastic bot commented Aug 9, 2024

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

@botelastic botelastic bot closed this as completed Aug 9, 2024
@w0rk3r w0rk3r reopened this Aug 9, 2024
@botelastic botelastic bot removed the stale 60 days of inactivity label Aug 9, 2024
@w0rk3r w0rk3r mentioned this issue Aug 28, 2024
Merged
@w0rk3r w0rk3r linked a pull request Aug 28, 2024 that will close this issue
[Tuning] Suspicious Web Browser Sensitive File Access #4029
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DefSecSentinel DefSecSentinel

Labels
community Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Tuning] Suspicious Web Browser Sensitive File Access elastic/detection-rules
3 participants
@w0rk3r @DefSecSentinel @ar3diu