nasbench
commented
1 week ago Since the PR https://github.com/SigmaHQ/sigma/pull/4881 contains the rule you submitted here (i'll handle both of them there).
Closed signalblur closed 1 week ago
nasbench
commented
1 week ago Since the PR https://github.com/SigmaHQ/sigma/pull/4881 contains the rule you submitted here (i'll handle both of them there).
Summary of the Pull Request
I've created a new detector based on research done by Datadog based on compiler execution within a container. I believe I saw a tweet a few years back from Florian suggesting to avoid regex to make understanding logic a bit easier, but on the off chance it's preferred over the below I believe this should work:
.*(\-|\_| )?(gcc|g\+\+|clang|javac|make|nasm|yasm)(\-|\_| )?.*This shouldn't happen legitimately (according to best practices) as builds should be immutable. I've set the priority on this to low as even though that is a recommended best practice, I'm sure there will be FP's in reality.
Changelog
new: Compiler Execution Within Kubernetes Containers
Example Log Event
Fixed Issues
N/A
SigmaHQ Rule Creation Conventions