security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Promote] Potential Masquerading as Communication Apps (#3181)

Browse Source 
* [Promote] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_communication_apps.toml

* Update rules/windows/defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_communication_apps.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 6fcf26b20e)
This commit is contained in:
Jonhnathan
2023-10-23 14:56:03 -03:00
committed by github-actions[bot]
parent d4e0a6cc98
commit 7b74244afb
1 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/defense_evasion_masquerading_communication_apps.toml → rules/windows/defense_evasion_masquerading_communication_apps.toml
+3 -5
View File
@@ -5,7 +5,6 @@ maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/13"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
@@ -18,12 +17,11 @@ index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Masquerading as Communication Apps"
risk_score = 21
risk_score = 47
rule_id = "c9482bfa-a553-4226-8ea2-4959bd4f7923"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"]
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
query = '''