Update rules/cross-platform/credential_access_forced_authentication_p…

…ipes.toml
elastic · Oct 1, 2024 · eb10654 · eb10654
1 parent 59f3c6f
commit eb10654
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/rules/cross-platform/credential_access_forced_authentication_pipes.toml b/rules/cross-platform/credential_access_forced_authentication_pipes.toml
@@ -57,7 +57,7 @@ type = "eql"
 
 query = '''
 sequence with maxspan=15s
-[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip)) ] by host.ip, data_stream.namespace
+[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace
 [file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip, data_stream.namespace
 '''