[BUG] Linux Service Started Or Enabled triggering on Windows events

Question

[BUG] Linux Service Started Or Enabled triggering on Windows events

0xC0FFEEEE opened this issue a year ago · 2 comments

0xC0FFEEEE commented a year ago

Describe the bug

The Linux Service Started Or Enabled rule can trigger on Windows events.

Expected behavior

Rule does not trigger on events from Windows Sysmon

Screenshots

App Version:

ESCU: 4.18.0

Additional context

I got a good laugh out of this.

Appending NOT Processes.os="Microsoft Windows" to the end of the where clause seems sufficient for resolving this issue.

Answer 1 · 2024-01-24T02:26:22.000Z

oh man, that is 1 for the data models and 0 for the detections, thank you for raising this! Will make sure its patched on our next release.

Answer 2 · 2024-01-24T09:07:04.000Z

Thanke @josehelps

I think the score is even. I've had to further update the filter with the following as the CIM datamodel is inconsistent between Sysmon and the Security Channel:

NOT (Processes.os="Microsoft Windows" OR Processes.vendor_product="Microsoft Windows")