security_content icon indicating copy to clipboard operation
security_content copied to clipboard

Published 20 hours ago verified publisher icon splunk

[BUG] Linux Service Started Or Enabled triggering on Windows events

Open 0xC0FFEEEE opened this issue 1 year ago • 2 comments

Describe the bug

The Linux Service Started Or Enabled rule can trigger on Windows events.

Expected behavior

Rule does not trigger on events from Windows Sysmon

Screenshots

image

App Version:

  • ESCU: 4.18.0

Additional context

I got a good laugh out of this.

Appending NOT Processes.os="Microsoft Windows" to the end of the where clause seems sufficient for resolving this issue.

0xC0FFEEEE avatar Jan 17 '24 13:01 0xC0FFEEEE

oh man, that is 1 for the data models and 0 for the detections, thank you for raising this! Will make sure its patched on our next release.

josehelps avatar Jan 24 '24 02:01 josehelps

Thanke @josehelps

I think the score is even. I've had to further update the filter with the following as the CIM datamodel is inconsistent between Sysmon and the Security Channel:

NOT (Processes.os="Microsoft Windows" OR Processes.vendor_product="Microsoft Windows")

0xC0FFEEEE avatar Jan 24 '24 09:01 0xC0FFEEEE