Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update PasswordSprayingWithMDE.yaml #11455

Merged
merged 4 commits into from
Nov 21, 2024
Merged

Update PasswordSprayingWithMDE.yaml #11455

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
dc80790
Update PasswordSprayingWithMDE.yaml
ank0ku Nov 19, 2024
fd1590c
Update PasswordSprayingWithMDE.yaml
ank0ku Nov 19, 2024
99b0d25
Update MatchLegitimateNameOrLocation.yaml
ank0ku Nov 19, 2024
2297f30
Solution packaged
v-prasadboke Nov 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions Solutions/FalconFriday/Analytic Rules/MatchLegitimateNameOrLocation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
id: dd22dc4f-ab7c-4d0a-84ad-cc393638ba31
name: Match Legitimate Name or Location - 2
description: |
Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes.
Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.
This query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts.
severity: Medium
status: Available
Expand Down Expand Up @@ -58,5 +58,5 @@ entityMappings:
fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine
version: 1.0.0
kind: Scheduled
version: 1.0.1
kind: Scheduled
8 changes: 2 additions & 6 deletions Solutions/FalconFriday/Analytic Rules/PasswordSprayingWithMDE.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,5 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: IPAddress
- entityType: Process
fieldMappings:
- identifier: CommandLine
columnName: ProcessCommandLine
version: 1.0.0
kind: Scheduled
version: 1.0.1
kind: Scheduled
Binary file modified Solutions/FalconFriday/Package/3.0.0.zip
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion Solutions/FalconFriday/Package/createUiDefinition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,7 @@
"name": "analytic16-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts."
"text": "Attackers often match or approximate the name or location of legitimate files to avoid detection rules that are based trust of on certain operating system processes.\nThis query detects mismatches in the parent-child relationship of core operating system processes to uncover different masquerading attempts."
}
}
]
Expand Down
Loading
Loading