search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.9k stars 483 forks source link

[Rule Tuning] Suspicious Web Browser Sensitive File Access #3721

Closed ar3diu closed 2 weeks ago

ar3diu commented 3 months ago

Link to rule

https://github.com/elastic/detection-rules/blob/34294fbe6de810c7f2a01f3d16a0929c72b40a2f/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml#L19

Description

When there are no endpoint file events in which process.Ext.effective_parent.executable exists, this rule returns an error. image

In my limited dataset with macos endpoint events, process.Ext.effective_parent.executable is more often present in the process events.

A workaround would be to change the index pattern to logs-endpoint.*.

Example Data

N/A

botelastic[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] commented 1 month ago

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.