Skip to content

[Rule Tuning] Unusual Network Activity from a Windows System Binary #2509

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Feb 1, 2023
Merged

[Rule Tuning] Unusual Network Activity from a Windows System Binary #2509

merged 5 commits into from
Feb 1, 2023

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Jan 31, 2023
edited
Loading

Summary

Exclude common OCSP (Online Certificate Status Protocol) sites contacted by MSIEXEC and *.local domains, ~12% alert count reduction

@w0rk3r w0rk3r added Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules Domain: Endpoint labels Jan 31, 2023
@w0rk3r w0rk3r self-assigned this Jan 31, 2023
Aegrah
Aegrah approved these changes Jan 31, 2023
View reviewed changes
Copy link
Contributor

@Aegrah Aegrah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

imays11
imays11 approved these changes Jan 31, 2023
View reviewed changes
Copy link
Contributor

@imays11 imays11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good 👍🏾

@w0rk3r w0rk3r merged commit 4bfcbea into main Feb 1, 2023
@w0rk3r w0rk3r deleted the rt_msiexec_oscp branch February 1, 2023 16:19
protectionsmachine pushed a commit that referenced this pull request Feb 1, 2023
@w0rk3r @github-actions
[Rule Tuning] Unusual Network Activity from a Windows System Binary (#…
d27026d 
…2509)

* [Rule Tuning] Unusual Network Activity from a Windows System Binary

* Update defense_evasion_network_connection_from_windows_binary.toml

(cherry picked from commit 4bfcbea)
protectionsmachine pushed a commit that referenced this pull request Feb 1, 2023
@w0rk3r @github-actions
[Rule Tuning] Unusual Network Activity from a Windows System Binary (#…
15c6af6 
…2509)

* [Rule Tuning] Unusual Network Activity from a Windows System Binary

* Update defense_evasion_network_connection_from_windows_binary.toml

(cherry picked from commit 4bfcbea)
protectionsmachine pushed a commit that referenced this pull request Feb 1, 2023
@w0rk3r @github-actions
[Rule Tuning] Unusual Network Activity from a Windows System Binary (#…
09ba8d0 
…2509)

* [Rule Tuning] Unusual Network Activity from a Windows System Binary

* Update defense_evasion_network_connection_from_windows_binary.toml

(cherry picked from commit 4bfcbea)
protectionsmachine pushed a commit that referenced this pull request Feb 1, 2023
@w0rk3r @github-actions
[Rule Tuning] Unusual Network Activity from a Windows System Binary (#…
0d95400 
…2509)

* [Rule Tuning] Unusual Network Activity from a Windows System Binary

* Update defense_evasion_network_connection_from_windows_binary.toml

(cherry picked from commit 4bfcbea)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imays11 imays11 imays11 approved these changes

@Samirbous Samirbous Samirbous approved these changes

@Aegrah Aegrah Aegrah approved these changes

@brokensound77 brokensound77 Awaiting requested review from brokensound77

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

Assignees

@w0rk3r w0rk3r

Labels
backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@w0rk3r @imays11 @Samirbous @Aegrah