* Add "by host.id" argument to the sequence command in the rule query.
* Update collection_email_outlook_mailbox_via_com.toml
* Update non-ecs-schema.json
---------
Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
(cherry picked from commit 5048bc26bd)
This commit is contained in:
ar3diu
committed by
github-actions[bot]
github-actions[bot]
parent
617991db0b
commit
e027efeb53
@@ -69,6 +69,7 @@
|
||||
"process.Ext.token.integrity_level_name": "keyword",
|
||||
"process.parent.Ext.real.pid": "long",
|
||||
"process.Ext.effective_parent.executable": "keyword",
|
||||
"process.Ext.effective_parent.entity_id": "keyword",
|
||||
"process.Ext.effective_parent.name": "keyword",
|
||||
"file.Ext.header_bytes": "keyword",
|
||||
"file.Ext.entropy": "long",
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2023/01/11"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2024/05/21"
|
||||
updated_date = "2024/06/20"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -43,9 +43,9 @@ sequence with maxspan=1m
|
||||
(process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)
|
||||
)
|
||||
)
|
||||
] by process.executable
|
||||
] by process.entity_id
|
||||
[process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and
|
||||
process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable
|
||||
process.Ext.effective_parent.name != null] by process.Ext.effective_parent.entity_id
|
||||
'''
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user