-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Rule Tuning] Linux DR Tuning - Part 1 #3316
Conversation
@Aegrah - Not entirely sure why your query is failing with wildcards in
UpdateStill digging, but it seems that because |
@terrancedejesus thanks for digging! Yep I was thinking of applying that change anyway. But indeed, as this is possible in kibana, I figured it would also be possible here. For now, it's not a big deal, so I can just use your suggested workaround. Good to be aware of! |
Bug issue created: #3351 |
* [Rule Tuning] Linux DR Tuning - Part 1 * fix * Update command_and_control_linux_kworker_netcon.toml * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Update defense_evasion_file_mod_writable_dir.toml Removed changes from: - rules/linux/command_and_control_linux_kworker_netcon.toml - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml - rules/linux/defense_evasion_file_mod_writable_dir.toml (selectively cherry picked from commit b533642)
* [Rule Tuning] Linux DR Tuning - Part 1 * fix * Update command_and_control_linux_kworker_netcon.toml * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Update defense_evasion_file_mod_writable_dir.toml Removed changes from: - rules/linux/command_and_control_linux_kworker_netcon.toml - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml - rules/linux/defense_evasion_file_mod_writable_dir.toml (selectively cherry picked from commit b533642)
* [Rule Tuning] Linux DR Tuning - Part 1 * fix * Update command_and_control_linux_kworker_netcon.toml * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Update defense_evasion_file_mod_writable_dir.toml Removed changes from: - rules/linux/command_and_control_linux_kworker_netcon.toml - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml - rules/linux/defense_evasion_file_mod_writable_dir.toml (selectively cherry picked from commit b533642)
* [Rule Tuning] Linux DR Tuning - Part 1 * fix * Update command_and_control_linux_kworker_netcon.toml * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Update defense_evasion_file_mod_writable_dir.toml (cherry picked from commit b533642)
* [Rule Tuning] Linux DR Tuning - Part 1 * fix * Update command_and_control_linux_kworker_netcon.toml * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Update defense_evasion_file_mod_writable_dir.toml (cherry picked from commit b533642)
* [Rule Tuning] Linux DR Tuning - Part 1 * fix * Update command_and_control_linux_kworker_netcon.toml * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Update defense_evasion_file_mod_writable_dir.toml (cherry picked from commit b533642)
* [Rule Tuning] Linux DR Tuning - Part 1 * fix * Update command_and_control_linux_kworker_netcon.toml * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Update defense_evasion_file_mod_writable_dir.toml (cherry picked from commit b533642)
* [Rule Tuning] Linux DR Tuning - Part 1 * fix * Update command_and_control_linux_kworker_netcon.toml * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Update defense_evasion_file_mod_writable_dir.toml (cherry picked from commit b533642)
* [Rule Tuning] Linux DR Tuning - Part 1 * fix * Update command_and_control_linux_kworker_netcon.toml * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Update defense_evasion_file_mod_writable_dir.toml (cherry picked from commit b533642)
* [Rule Tuning] Linux DR Tuning - Part 1 * fix * Update command_and_control_linux_kworker_netcon.toml * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Update defense_evasion_file_mod_writable_dir.toml (cherry picked from commit b533642)
Summary
Linux DR tuning for the first set of Linux DRs.