[BUG]Bypass Network Connection Discovery With Arp #3977
Description
the current rule logic is as follow:
| tstats security_content_summariesonly count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name="arp.exe"
)
(Processes.process=-a)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| drop_dm_object_name(Processes)
| security_content_ctime(firstTime)
| security_content_ctime(lastTime)
| network_connection_discovery_with_arp_filter
and based on arp binary usage and its manual the -g is equal to -a:
-a Displays current ARP entries by interrogating the current
protocol data. If inet_addr is specified, the IP and Physical
addresses for only the specified computer are displayed. If
more than one network interface uses ARP, entries for each ARP
table are displayed.
-g Same as -a.
and -g is not somthing like alias, and the usage of -g will bypass.