Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dlux 2 - Misc updates to existing detections #3025

Merged
merged 28 commits into from
Jul 26, 2024
Merged

Dlux 2 - Misc updates to existing detections #3025

merged 28 commits into from
Jul 26, 2024

Conversation

dluxtron
Copy link
Collaborator

@dluxtron dluxtron commented Jul 2, 2024
edited
Loading

Pushing several updates to existing detections for SPL improvements.

@dluxtron dluxtron changed the title Dlux 2 Dlux 2 - Misc updates to existing detections Jul 2, 2024
@patel-bhavin
Copy link
Contributor

Found 3 detection failures: Will need to investigate them!

image

patel-bhavin
patel-bhavin reviewed Jul 23, 2024
View reviewed changes
detections/endpoint/windows_admon_default_group_policy_object_modified.yml Outdated
by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy")
| appendpipe [
| map search="search `wineventlog_security` EventCode=5136 AttributeSyntaxOID=2.5.5.12 AttributeValue=$displayName$" | rename AttributeValue as displayName]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dluxtron We would need both the datasets here: one for admon and the other for

EventCode=5136. Same with the other admon detection!

@patel-bhavin patel-bhavin added this to the v4.37.0 milestone Jul 24, 2024
@patel-bhavin patel-bhavin merged commit e4953d9 into develop Jul 26, 2024
7 checks passed
@patel-bhavin patel-bhavin deleted the dlux_2 branch July 26, 2024 15:24
@ljstella ljstella mentioned this pull request Jul 29, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin approved these changes

@P4T12ICK P4T12ICK Awaiting requested review from P4T12ICK

Assignees
No one assigned
Labels
Detections Lookups
Projects
None yet
Milestone
v4.37.0
Development

Successfully merging this pull request may close these issues.
2 participants
@dluxtron @patel-bhavin