search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.91k stars 492 forks source link

[Rule Tuning] Suspicious Inter-Process Communication via Outlook #3803 #3806

Closed ar3diu closed 3 months ago

ar3diu commented 3 months ago

Issues

https://github.com/elastic/detection-rules/issues/3803

Summary

Without a host grouping in the sequence of events, this rule triggers on events from different hosts which is not exactly the desired result.

cla-checker-service[bot] commented 3 months ago

❌ Author of the following commits did not sign a Contributor Agreement: cc150efbde95db42a21c5bebd0dc74cc177c2089

Please, read and sign the above mentioned agreement if you want to contribute to this project

Samirbous commented 3 months ago

Issues

3803

Summary

Without a host grouping in the sequence of events, this rule triggers on events from different hosts which is not exactly the desired result.

thanks for flagging this, adjusted you PR to use process.Ext.effective_parent.entity_id and process.entity_id (they are unique and more appropriate)

brokensound77 commented 3 months ago

❌ Author of the following commits did not sign a Contributor Agreement: cc150ef

Please, read and sign the above mentioned agreement if you want to contribute to this project

Thanks for the contribution @ar3diu - once you sign the CLA, @Samirbous can get this merged in 🎉

ar3diu commented 3 months ago

I already signed the contributor agreement, but I don't know why it's not updated...

Screenshot from the pdf downloaded: image

ar3diu commented 3 months ago

@Mikaayenson should I close this one or...? I don't get why the CLA test did not pass since I signed the agreement. Any tips on investigating that?

Mikaayenson commented 3 months ago

The issue most likely is that your first commit cc150efbde95db42a21c5bebd0dc74cc177c2089 used a different name ( Andrei Rediu vs ar3diu. I bet if you sign with the former you should be g2g. If not lmk and we can push this in.

ar3diu commented 3 months ago

Hm, I noticed that too, but I don't get why the commit used that username. It probably has to do with my local instance of vs code. Anyway, I have signed the CLA now for both github (user)names.

terrancedejesus commented 3 months ago

Force merged this in since 2 approvals were checked and unit testing passed. Reviewed commit history and diff to ensure delta did not contain any anomalies.