Several detections have broken regular expressions in a rex command. Change occurred in #3889
Affected detections:
Detect SNICat SNI Exfiltration
Windows AD Privileged Account SID History Addition
WMI Permanent Event Subscription
WMI Temporary Event Subscription
Example - Detect SNICat SNI Exfiltration
Current search search:
`zeek_ssl`
| rex field=server_name "(?<snicat>(LIST
| LS
| SIZE
| LD
| CB
| CD
| EX
| ALIVE
| EXIT
| WHERE
| finito)-[A-Za-z0-9]{16}\.)"
| stats count
BY src_ip dest_ip server_name
snicat
| where count>0
| table src_ip dest_ip server_name snicat
| `detect_snicat_sni_exfiltration_filter`
Previous search syntax:
`zeek_ssl` | rex field=server_name "(?<snicat>(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\.)"
| stats count by src_ip dest_ip server_name snicat | where count>0 | table src_ip
dest_ip server_name snicat | `detect_snicat_sni_exfiltration_filter`
Several detections have broken regular expressions in a rex command. Change occurred in #3889
Affected detections:
Detect SNICat SNI Exfiltration
Windows AD Privileged Account SID History Addition
WMI Permanent Event Subscription
WMI Temporary Event Subscription
Example - Detect SNICat SNI Exfiltration
Current search search:
Previous search syntax: