This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Greetings Aravind, Can you provide some relevant logs/detections for the
issue your having? Your logic looks good and I ran your logic in a demo
environment and I am not seeing any issue.Also, as a note: Please
consider using a state aswell as a coun...
I believe that the UDM field target.ip is limited to metadata.event_type
= *_NETWORK, NETWORK_*, STATUS_UPDATE or similiar. Per your YARA-l rule
the UDM field target.process.file.full_path = /\/bin\/bash/ would be
specific to event type 'PROCESS_LAUN...
