So now you can write detections, which means you will soon learn about false positives; let's practice tuning those.
Thanks for continuing the series Eric!
I'm getting an error when I try to test the rule against another event (following along with the "testing" portion of your video).
I get this error:
false => (is) {"op":"is","path":"detect/event/FILE_PATH","value":"C:\\Windows\\System32\\svchost.exe"}
In the detection I'm testing against, the command line is:
"COMMAND_LINE": "C:\\Windows\\system32\\svchost.exe -k wusvcs -p -s WaaSMedicSvc",
And of course, I've used your example detection statements:
- op: is
path: detect/event/FILE_PATH
value: C:\Windows\System32\svchost.exe
Can you see what I'm doing wrong based on what I've presented here?
Thanks!
Looks like it should be working -- can you continue tweaking your rule? For instance, see if you get different results with
- op: ends with
value: svchost.exe
Thanks! That particular tweak worked!
That is why this was a recorded lecture/demo because its very difficult to recreate this without specific conditions being met... My goal was to instead teach the overall concept so that you can test it with your own detections.
Thanks for continuing the series Eric!
I'm getting an error when I try to test the rule against another event (following along with the "testing" portion of your video).
I get this error:
false => (is) {"op":"is","path":"detect/event/FILE_PATH","value":"C:\\Windows\\System32\\svchost.exe"}
In the detection I'm testing against, the command line is:
"COMMAND_LINE": "C:\\Windows\\system32\\svchost.exe -k wusvcs -p -s WaaSMedicSvc",
And of course, I've used your example detection statements:
- op: is
path: detect/event/FILE_PATH
value: C:\Windows\System32\svchost.exe
Can you see what I'm doing wrong based on what I've presented here?
Thanks!
Looks like it should be working -- can you continue tweaking your rule? For instance, see if you get different results with
- op: ends with
path: detect/event/FILE_PATH
value: svchost.exe
Thanks! That particular tweak worked!
That is why this was a recorded lecture/demo because its very difficult to recreate this without specific conditions being met... My goal was to instead teach the overall concept so that you can test it with your own detections.