From eb10654aae39bd39da266a150952b16efc03bbd1 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 1 Oct 2024 17:11:34 -0300
Subject: [PATCH] Update
 rules/cross-platform/credential_access_forced_authentication_pipes.toml

---
 .../credential_access_forced_authentication_pipes.toml          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cross-platform/credential_access_forced_authentication_pipes.toml b/rules/cross-platform/credential_access_forced_authentication_pipes.toml
index 2d88409b94b..db0ec420cba 100644
--- a/rules/cross-platform/credential_access_forced_authentication_pipes.toml
+++ b/rules/cross-platform/credential_access_forced_authentication_pipes.toml
@@ -57,7 +57,7 @@ type = "eql"
 
 query = '''
 sequence with maxspan=15s
-[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip)) ] by host.ip, data_stream.namespace
+[network where host.os.type == "linux" and event.action == "connection_attempted" and destination.port == 445 and not startswith~(string(destination.ip), string(host.ip))] by host.ip, data_stream.namespace
 [file where host.os.type == "windows" and event.code == "5145" and file.name : ("Spoolss", "netdfs", "lsarpc", "lsass", "netlogon", "samr", "efsrpc", "FssagentRpc")] by source.ip, data_stream.namespace
 '''