phantinuss
phantinuss
The selections match using the `|endswith` modifier. The question marks are one-character wildcards. Therefore I don't see a systematic issue with the rule. Your example, if it would use a...
resolved in #5424
@seanthegeek : Can you provide an example log? It's just easier to think about stuff when I can use some visual help.
I was thinking about what to do best several times so I am very happy to get feedback of a user about it. I'll work on a version that includes...
Would something like this work? Any info that you would like to see that's missing? ```json { "7f6a4760-ab59-4f4c-bb72-6b8864901ea0": { "title": "Suspicious Something Executed", "change_type": "new", "change_reason": "", "authors": ["jdoe"], "merge_date":...
We could add a `level: high` rule to match when the command line is found but the executable is not named with its default name i.e. was renamed. In addition...
The file name has to start with `proc_creation_lnx_` for the test to pass. For the echo selection part of the rule: I think it's fine. It's an best effort approach....
Do your things @nasbench. I'll give the rule a tweak afterwards to increase coverage (more include paths) but also add the default cron jobs as filters for the distributions that...