Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] "Cobalt Strike Command and Control Beacon" SIEM rule uses Lucene query with lowercase operators #3208

Closed
willemdh opened this issue Oct 20, 2023 · 1 comment
Closed

[Bug] "Cobalt Strike Command and Control Beacon" SIEM rule uses Lucene query with lowercase operators #3208

willemdh opened this issue Oct 20, 2023 · 1 comment
Assignees
@w0rk3r
Labels
bug Something isn't working community

Comments

@willemdh
Copy link

"Cobalt Strike Command and Control Beacon" SIEM rule uses Lucene query with lowercase operators. The result is that it alerts on all kinds of events containing 'or' and 'and'..

Query:

((event.category: (network or network_traffic) and type: (tls or http)) or event.dataset: (network_traffic.tls or network_traffic.http)) and destination.domain:/[a-z]{3}.stage.[0-9]{8}\..*/

Screenshots
If applicable, add screenshots to help explain your problem.

  • Version: 8.10.2
@willemdh willemdh added the bug Something isn't working label Oct 20, 2023
@w0rk3r w0rk3r self-assigned this Oct 22, 2023
@w0rk3r
Copy link
Contributor

w0rk3r commented Oct 22, 2023

Hey @willemdh, just fixed this one and a few other Lucene queries in this PR: #3196, let me know if there is anything else to fix, thanks for the contribution!

@w0rk3r w0rk3r closed this as completed Oct 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@w0rk3r w0rk3r

Labels
bug Something isn't working community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@willemdh @w0rk3r