Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TR-3994 - Add Secure Endpoint Analytics #3277

Merged
merged 24 commits into from
Feb 19, 2025
Merged

TR-3994 - Add Secure Endpoint Analytics #3277

merged 24 commits into from
Feb 19, 2025

Conversation

nasbench
Copy link
Contributor

@nasbench nasbench commented Jan 14, 2025
edited
Loading

This PR adds new analytics related to the potential abuse of Cisco Secure Endpoint sfc.exe utility. Which allows a user to stop a service, unblock a file or uninstall the service.

New Analytics

  • Windows Cisco Secure Endpoint Related Service Stopped
  • Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
  • Windows Cisco Secure Endpoint Unblock File Via Sfc
  • Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc

New Analytic Story

  • Security Solution Tampering

@nasbench nasbench added the WIP DO NOT MERGE Work in Progress label Jan 14, 2025
@nasbench nasbench changed the title Add Secure Endpoint Analytics TR-3994 - Add Secure Endpoint Analytics Jan 23, 2025
@nasbench nasbench marked this pull request as ready for review January 29, 2025 11:49
@pyth0n1c pyth0n1c removed the WIP DO NOT MERGE Work in Progress label Feb 19, 2025
pyth0n1c
pyth0n1c previously approved these changes Feb 19, 2025
View reviewed changes
Copy link
Collaborator

@pyth0n1c pyth0n1c left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had some offline discussions with developer to fix minor issues with field naming.
Looks great! Approved.

@pyth0n1c
Update windows_cisco_secure_endpoint_related_service_stopped.yml
fe00a4b 
add missing "search" keyword which caused unit testing to fail.
pyth0n1c
pyth0n1c approved these changes Feb 19, 2025
View reviewed changes
Copy link
Collaborator

@pyth0n1c pyth0n1c left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

consulted with dev - agreed on minor fix to content (add missing "search" word in detection)

@pyth0n1c pyth0n1c merged commit 7966993 into develop Feb 19, 2025
4 checks passed
@pyth0n1c pyth0n1c deleted the new-rules branch February 19, 2025 20:12
@patel-bhavin patel-bhavin added this to the v5.1.0 milestone Feb 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ljstella ljstella ljstella left review comments

@pyth0n1c pyth0n1c pyth0n1c approved these changes

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

Assignees
No one assigned
Labels
Detections Stories
Projects
None yet
Milestone
v5.1.0
Development

Successfully merging this pull request may close these issues.
4 participants
@nasbench @ljstella @pyth0n1c @patel-bhavin