-
Notifications
You must be signed in to change notification settings - Fork 359
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible bug in rule: "AWS Activity In New Region" #343
Comments
It definetly looks to be the case @tdziwok, thank you for pointing this out! We will work on a PR to get it fixed up. If you did any changes to the search it would be great if you could shared it as an example fix 😄 |
Hey added a PR to fix this #345 should be fixed in the next release. |
Hi @d1vious, Thanks for looking into this so quickly. I believe I have found one more instance of the same issue by using: grep -irE '([^`]|^)security_content_ctime' ./detections/ ./detections/ec2_instance_started_with_previously_unseen_instance_type.yml has the same exact pattern and needs the same exact fix. Thanks for your help, and keep up the awesome work! Thanks, |
@tdziwok thank you for sharing this one too, re-opened the issue for now. I will make another PR to solve this one. |
@tdziwok added another PR in there to include this search. Thank you again for catching this error! |
Hi ESCU Team,
I think there may have been an inadvertent bug introduced in: f9bdf7e
The rule from detections/aws_activity_in_new_region.yml no longer runs in Splunk, as
| convert security_content_ctime(earliest) security_content_ctime(latest)
is not a valid usage of theconvert
command.I am guessing that this is an instance where
sed
or another replacing tool caught some "real"ctime
invocations while looking for instances of the old macro name.Thanks,
Tomasz
The text was updated successfully, but these errors were encountered: