Beaconing - Add whitelist to rules, with some more processes (#3497)
* Add whitelist to rules, with some more processes * Update rules exceptionlist * Update exceptions --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
This commit is contained in:
Susan
@@ -50,7 +50,8 @@ type = "query"
|
||||
timestamp_override = "event.ingested"
|
||||
|
||||
query = '''
|
||||
beacon_stats.is_beaconing: true
|
||||
beacon_stats.is_beaconing: true and
|
||||
not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or "WindowsAzureGuestAgent.exe" or "HealthService.exe" or "Widgets.exe" or "lsass.exe" or "msedgewebview2.exe" or "MsMpEng.exe" or "OUTLOOK.EXE" or "msteams.exe" or "FileSyncHelper.exe" or "SearchProtocolHost.exe" or "Creative Cloud.exe" or "ms-teams.exe" or "ms-teamsupdate.exe" or "curl.exe" or "rundll32.exe" or "MsSense.exe" or "wermgr.exe" or "java" or "olk.exe" or "iexplore.exe" or "NetworkManager" or "packetbeat" or "Ssms.exe" or "NisSrv.exe" or "gamingservices.exe" or "appidcertstorecheck.exe" or "POWERPNT.EXE" or "miiserver.exe" or "Grammarly.Desktop.exe" or "SnagitEditor.exe" or "CRWindowsClientService.exe")
|
||||
'''
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user