So now you can write detections, which means you will soon learn about false positives; let's practice tuning those.
Thanks for continuing the series Eric!
I'm getting an error when I try to test the rule against another event (following along with the "testing" portion of your video).
I get this error:
false => (is) {"op":"is","path":"detect/event/FILE_PATH","value":"C:\\Windows\\System32\\svchost.exe"}
In the detection I'm testing against, the command line is:
"COMMAND_LINE": "C:\\Windows\\system32\\svchost.exe -k wusvcs -p -s WaaSMedicSvc",
And of course, I've used your example detection statements:
- op: is
path: detect/event/FILE_PATH
value: C:\Windows\System32\svchost.exe
Can you see what I'm doing wrong based on what I've presented here?
Thanks!
So you want to be a SOC Analyst? Part 5
Thanks for continuing the series Eric!
I'm getting an error when I try to test the rule against another event (following along with the "testing" portion of your video).
I get this error:
false => (is) {"op":"is","path":"detect/event/FILE_PATH","value":"C:\\Windows\\System32\\svchost.exe"}
In the detection I'm testing against, the command line is:
"COMMAND_LINE": "C:\\Windows\\system32\\svchost.exe -k wusvcs -p -s WaaSMedicSvc",
And of course, I've used your example detection statements:
- op: is
path: detect/event/FILE_PATH
value: C:\Windows\System32\svchost.exe
Can you see what I'm doing wrong based on what I've presented here?
Thanks!