[BUG] current detections.json has searches with unbalanced parentheses
tjgeorgen opened this issue · 1 comments
tjgeorgen commented
Describe the bug
Current dist/api/detections.json for id 01d29b48-ff6f-11eb-b81e-acde48001123 is missing an open parentheses in the rule below after the first where:
...
"search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =\"7z.exe\" OR Processes.process_name = \"7za.exe\" OR Processes.original_file_name = \"7z.exe\" OR Processes.original_file_name = \"7za.exe\") AND (Processes.process=\"*\\\\C$\\\\*\" OR Processes.process=\"*\\\\Admin$\\\\*\" OR Processes.process=\"*\\\\IPC$\\\\*\") by Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`",
...
Expected behavior
Rerunning contentctl build --enrichments creates a rule with correctly balanced parentheses, so I'm not sure what happened in the current file:
...
"search": "| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name =\"7z.exe\" OR Processes.process_name = \"7za.exe\" OR Processes.original_file_name = \"7z.exe\" OR Processes.original_file_name = \"7za.exe\") AND (Processes.process=\"*\\\\C$\\\\*\" OR Processes.process=\"*\\\\Admin$\\\\*\" OR Processes.process=\"*\\\\IPC$\\\\*\") by Processes.original_file_name Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.parent_process_id Processes.process_id Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `7zip_commandline_to_smb_share_path_filter`",
...
App Version:
Appears correct when using latest security_content and contentctl, unclear which versions were used for detections.json
tjgeorgen commented
OBE, dist/ removed from repo