From 6604f13d058a58a769e5a3f161f4ab66a80e96b6 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Thu, 6 Feb 2020 17:35:49 -0600 Subject: [PATCH] Fix typo on detection engine rule (#56993) (#57045) Co-authored-by: Elastic Machine Co-authored-by: Elastic Machine --- .../prepackaged_rules/linux_shell_activity_by_web_server.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json index eff3dd0ab1400..d9455ab7d5b3e 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/linux_shell_activity_by_web_server.json @@ -9,7 +9,7 @@ "language": "kuery", "max_signals": 100, "name": "Potential Shell via Web Server", - "query": "process.name: bash and user.name: (apache or www or \"wwww-data\") and event.action:executed", + "query": "process.name: bash and user.name: (apache or www or \"www-data\") and event.action:executed", "references": [ "https://pentestlab.blog/tag/web-shell/" ],