[Rule Tuning] LSASS Memory Dump Creation

ar3diu commented 3 months ago

Issues

https://github.com/elastic/detection-rules/issues/3756

Summary

I added another process executable path in one of the exclusions: "?:\\Windows\\System32\\WerFaultSecure.exe". The rule was triggered in a production environment for this exact executable and .dmp files that are already included in the query.

Contributor checklist

Have you signed the contributor license agreement? YES (but for some reason, a previous PR I opened still has a failed test for the contributor license agreement. So the same could happen here. :man_shrugging: )
Have you followed the contributor guidelines? YES

cla-checker-service[bot] commented 3 months ago

❌ Author of the following commits did not sign a Contributor Agreement: 8c851af8cc0a0a005201f8158e8c284fcb1309a4

Please, read and sign the above mentioned agreement if you want to contribute to this project

Mikaayenson commented 3 months ago

@ar3diu Can you confirm you signed the CLA with the same email account that you used to commit for this PR? Also can you update the date in the rule?

Mikaayenson commented 2 months ago

@ar3diu IINM the reason why it's failing is cause there is a commit from user Andrei Rediu which is different from ar3diu.

ar3diu commented 2 months ago

@Mikaayenson

So what should I do now? I already signed the CLA for both usernames.

elastic / detection-rules