[Rule Tuning] Searching for Saved Credentials via VaultCmd
hack-1m opened this issue · comments
Link to rule
Searching for Saved Credentials via VaultCmd :
The rule detection refers only to process.name: "vaultcmd.exe" but during the test with rta I received logs of process.name: "VaultCmd.exe".
Description
There are several ways to change this behaviour:
Solution 1 Change the rule from process.name: "vaultcmd.exe" to process.name: "vaultcmd.exe" or process.name: "VaultCmd.exe".
Solution 2 in the winlogbeat pipeline we force all processes to lowercase to make sure that this kind of behaviour is caught on rules looking for exact patterns. However, this will make rendering less comfortable.
Solution 3 Deport the lowercase directly into the winlogbeat process.
We could do this in a logstash but we can't be sure that this middleware will be used to retrieve logs.
Example Data
Hi @hack-1m, thanks for contacting us.
FYI, EQL queries using the ":" symbol are case-insensitive, meaning that the EQL query provided above will trigger on both of your examples. KQL, the query language you used to query Discover, is case-sensitive, and therefore you will be required to specify the exact matching name when querying the Discover tab.
Feel free to try-out the EQL query provided in the rule, within the security timelines feature and LMK if this solved your issue!
Thanks.
Good to hear! I will then close out the issue.