-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suspicious process creation analytics rule logic error #11215
Comments
Hi @msamoi, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks! |
Hi @msamoi , please use the query below to check if your issue is resolved. _ASim_ProcessEvent |
Hello, Yes, the query does solve the issues described in the original post, however there are a few things I would like to point out:
Isn't it faster to check each command's entire argument list at once, rather than each substring separately? I made a query based on this logic, and it finished in less than 10 seconds on the same data set. I still kept the array slicing to keep the query from matching "base64" with the command itself, instead of just the arguments:
Any thoughts? |
Hi @msamoi,we are working on updating the query as per your suggestion and will also update the solution package. We will notify you once the PR is merged. |
Hi @msamoi , We have updated the rule and the solution package. This new update will be available in solution version 3.0.1 soon. |
The problem
The "Process Creation with Suspicious CommandLine Arguments" analytics rule contains a type error on the 3rd line of the query where an array is passed to the todynamic() function, which only accepts strings. See first screenshot.
Additionally, the operations on the 4th and 5th lines of the query expect the same variable to be both a string and dynamic type. Please look at the 2nd screenshot for clarity.
To Reproduce
Steps to reproduce the behavior:
Screenshots
1
2
The text was updated successfully, but these errors were encountered: