Use case exception

PerfectSushi · June 23, 2023, 8:52am

Dear team,

I am currently facing some challenges while attempting to create a correlated use case involving the prebuilt "Whoami Process Activity." The issue arises because we need to make an exception for a previous log that generates this activity. Specifically, it is a PowerShell script that executes the "whoami" validation.

sequence with maxspan=2s
[process where process.args: "*"]
[process where event.type in ("start", "process_started") and process.name: "whoami.exe"]

Currently, when I attempt to use the query NOT "process where not process.args:", it does not seem to be functioning correctly.

I would greatly appreciate your assistance in this matter. Could you please help me understand what I might be doing wrong?

Best regards,

system · July 21, 2023, 8:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rule exception in SIEM Kibana 7.12 Elastic Security	2	959	June 1, 2021
EQL rules are wrong, God help me Elastic Security	7	386	October 20, 2022
Problem with PowerShell security rules that use process.args Elastic Security	3	406	April 3, 2023
Field case sensitivity and detection rules not triggering 'clear-eventlog' SIEM	4	785	May 27, 2020
Errors with a "does not exist" query Kibana	3	1379	September 28, 2021

Use case exception

Related topics