We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_ssh_backdoor_log.toml
Data Quality - Ensuring integrity and quality of data used by detection rules.
As currently defined, the rule uses these three index patterns to run:
auditbeat-*
logs-endpoint.events.*
endgame-*
This can cause issues when defining exceptions, as some fields are specific to logs-endpoint.events.file.
logs-endpoint.events.file
For instance specifying file.path — Which is explicitely queried as part of the rule definition — in a rule exception leads to the error:
file.path
This field is defined as different types across the following indices or is unmapped. This can cause unexpected query results.
Because the field doesn't exist for logs-endpoint.events.process or logs-endpoint.events.network.
logs-endpoint.events.process
logs-endpoint.events.network
Considering the original fields being queried in the rule definition being:
file host.os.type event.type process.executable file.name file.extension file.path
Would it make sense to restrict the rule to the logs-endpoint.events.file-* pattern like we do for Suspicious Web Browser Sensitive File Access for instance?
logs-endpoint.events.file-*
No response
The text was updated successfully, but these errors were encountered:
Aegrah
No branches or pull requests
Link to Rule
https://github.com/elastic/detection-rules/blob/main/rules/linux/credential_access_ssh_backdoor_log.toml
Rule Tuning Type
Data Quality - Ensuring integrity and quality of data used by detection rules.
Description
As currently defined, the rule uses these three index patterns to run:
This can cause issues when defining exceptions, as some fields are specific to
logs-endpoint.events.file
.For instance specifying
file.path
— Which is explicitely queried as part of the rule definition — in a rule exception leads to the error:Because the field doesn't exist for
logs-endpoint.events.process
orlogs-endpoint.events.network
.Considering the original fields being queried in the rule definition being:
Would it make sense to restrict the rule to the
logs-endpoint.events.file-*
pattern like we do for Suspicious Web Browser Sensitive File Access for instance?Example Data
No response
The text was updated successfully, but these errors were encountered: