Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate Azure Full Network Packet Capture Detected #168

Open
cavokz opened this issue May 12, 2023 · 2 comments
Open

Investigate Azure Full Network Packet Capture Detected #168

cavokz opened this issue May 12, 2023 · 2 comments
Labels
no signals rule wontfix
Milestone
Correctness

Comments

@cavokz
Copy link
Collaborator

cavokz commented May 12, 2023
edited
Loading

https://github.com/elastic/geneve/blob/main/tests/reports/alerts_from_rules.md#azure-full-network-packet-capture-detected
@cavokz cavokz added this to the Correctness milestone May 12, 2023
@cavokz cavokz changed the title Investigate 'Azure Full Network Packet Capture Detected' Investigate Azure Full Network Packet Capture Detected May 12, 2023
@cavokz
Copy link
Collaborator Author

cavokz commented Jun 28, 2023

The problem with this rules is in its query:

event.dataset:azure.activitylogs and azure.activitylogs.operation_name:
    (
        "MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION" or
        "MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION" or
        "MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE"
    ) and 
event.outcome:(Success or success)

Specifically this part:

    (
        "MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION" or
        "MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION" or
        "MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE"
    )

Double quotes should not be there otherwise the query expects them in the value of the field, unless I totally misunderstood the rule and quotes actually need to be part of the field value. Checking with @Mikaayenson whether this is the case or not.

Removing the double quotes makes the query find the documents generated by Geneve.

@Aegrah Aegrah mentioned this issue Jun 28, 2023
Merged
@cavokz cavokz added the rule label Aug 31, 2023
@cavokz
Copy link
Collaborator Author

cavokz commented Aug 31, 2023

Already fixed in stacks >= 8.5.0, will not be fixed in older stacks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
no signals rule wontfix
Projects
None yet
Milestone
Correctness
Development

No branches or pull requests
2 participants
@cavokz @Mikaayenson