Skip to content

Commit

Permalink
[SIEM] Detection Fix typo in Adobe Hijack Persistence rule (#58804) (#…
Browse files Browse the repository at this point in the history 
…58993)

Fixes #58803

Co-authored-by: Nic <nicpenning@hotmail.com>
  • Loading branch information
@FrankHassanabad
FrankHassanabad and Nic authored Mar 2, 2020
1 parent ebd3f65 commit 1cf8078
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions ...iem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"language": "kuery",
"max_signals": 100,
"name": "Adobe Hijack Persistence",
"query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe",
"query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexec.exe",
"risk_score": 21,
"rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86",
"severity": "low",
Expand All @@ -32,5 +32,5 @@
}
],
"type": "query",
"version": 1
"version": 2
}

0 comments on commit 1cf8078

Please sign in to comment.