Had a question about the rule "Unusual Child Process from a System Virtual Process", sorry if this is not the correct forum for it. I'm using the most recent rule query and when these alerts do spawn, we are unable to tell what exactly the spawned process is. I've checked the Discover logs, and found nothing related.
Is there a way i can change this rule to allow me to see the spawned process?
Hi @Brandon_Duffy, it would probably be best to open an issue in the elastic/detection-rules repo where this Elastic prebuilt rule originates from (source).
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.