From 950796f71f0ff1a984b7c3bed1a2cb05ec41b9df Mon Sep 17 00:00:00 2001
From: zinint <zinin.t@gmail.com>
Date: Tue, 29 Oct 2019 22:48:39 +0300
Subject: [PATCH] Update lnx_auditd_masquerading_crond.yml

---
 rules/linux/auditd/lnx_auditd_masquerading_crond.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
index ef5ba8cb3..6849ee989 100644
--- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
+++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml
@@ -16,7 +16,7 @@ detection:
         a2: '/bin/sh'
         a3: '*/crond'
     condition: selection
-level: low
+level: medium
 tags:
     - attack.defense_evasion
     - attack.t1036