From df670fac567b73fbc27cfd10bba38c33734bc139 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Wed, 27 Jul 2022 11:58:30 -0400 Subject: [PATCH] [Rule Tuning] Potential Microsoft Office Sandbox Evasion (#2123) * filter run by macOS os type --- ...efense_evasion_sandboxed_office_app_suspicious_zip_file.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index b9945d1ef..1bbc4c24e 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -28,7 +28,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and not event.type:deletion and file.name:~$*.zip +event.category:file and not event.type:deletion and file.name:~$*.zip and host.os.type:macos ''' [[rule.threat]]