Thanks for continuing the series Eric!

I'm getting an error when I try to test the rule against another event (following along with the "testing" portion of your video).

I get this error:

false => (is) {"op":"is","path":"detect/event/FILE_PATH","value":"C:\\Windows\\System32\\svchost.exe"}

In the detection I'm testing against, the command line is:

"COMMAND_LINE": "C:\\Windows\\system32\\svchost.exe -k wusvcs -p -s WaaSMedicSvc",

And of course, I've used your example detection statements:

- op: is

path: detect/event/FILE_PATH

value: C:\Windows\System32\svchost.exe

Can you see what I'm doing wrong based on what I've presented here?


Expand full comment
deletedNov 22
Comment deleted
Expand full comment