Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIAC-11873/XSIAM-PB-Suspicious-execution-from-tmp-folder #38406

Merged
merged 32 commits into from
Feb 3, 2025
Merged

CIAC-11873/XSIAM-PB-Suspicious-execution-from-tmp-folder #38406

merged 32 commits into from
Feb 3, 2025

Conversation

efelmandar
Copy link
Contributor

Status

  • In Progress
  • Ready
  • In Hold - (Reason for hold)

Related Issues

fixes: link to the issue

Description

Adding a new playbook to handle the following alerts:

  • Suspicious interactive execution of a binary from the tmp folder
  • Suspicious cron job task execution of a binary from the tmp folder
  • A web server process executed an unpopular application from the tmp folder

Must have

  • Tests
  • Documentation

@efelmandar efelmandar marked this pull request as ready for review January 30, 2025 09:50
ShirleyDenkberg
ShirleyDenkberg reviewed Feb 2, 2025
View reviewed changes
Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_execution_from_tmp_folder.yml Outdated Show resolved Hide resolved
Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_execution_from_tmp_folder.yml Outdated Show resolved Hide resolved
Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_execution_from_tmp_folder.yml Outdated Show resolved Hide resolved
Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_execution_from_tmp_folder.yml Outdated Show resolved Hide resolved
Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicious_execution_from_tmp_folder.yml Outdated Show resolved Hide resolved
...rtexResponseAndRemediation/Playbooks/playbook-Suspicious_execution_from_tmp_folder_README.md Show resolved Hide resolved
Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_4.md Outdated Show resolved Hide resolved
Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_4.md Outdated Show resolved Hide resolved
Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_4.md Outdated Show resolved Hide resolved
Packs/CortexResponseAndRemediation/ReleaseNotes/1_1_4.md Outdated Show resolved Hide resolved
@ShirleyDenkberg
Copy link
Contributor

@altmannyarden Doc review completed.

efelmandar and others added 3 commits February 2, 2025 10:44
@efelmandar @ShirleyDenkberg
Update Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicio…
36a187a 
…us_execution_from_tmp_folder.yml

Co-authored-by: ShirleyDenkberg <[email protected]>
@efelmandar @ShirleyDenkberg
Update Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicio…
04f564d 
…us_execution_from_tmp_folder.yml

Co-authored-by: ShirleyDenkberg <[email protected]>
@efelmandar @ShirleyDenkberg
Update Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicio…
716cae9 
…us_execution_from_tmp_folder.yml

Co-authored-by: ShirleyDenkberg <[email protected]>
@content-bot
Copy link
Collaborator

This PR was automatically updated by a GitHub Action

  • CortexResponseAndRemediation pack version was bumped to 1.1.5.

To stop automatic version bumps, add the ignore-auto-bump-version label to the github PR.

efelmandar and others added 6 commits February 2, 2025 11:29
@efelmandar
Fix review comments
68ae888
@efelmandar
Merge branches 'CIAC-11873/XSIAM-PB-Suspicious-execution-from-tmp-fol…
1dac24c 
…der' and 'CIAC-11873/XSIAM-PB-Suspicious-execution-from-tmp-folder' of https://github.com/demisto/content into CIAC-11873/XSIAM-PB-Suspicious-execution-from-tmp-folder
@efelmandar
Update release notes
ea9cd0a
@efelmandar @ShirleyDenkberg
Update Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicio…
2788861 
…us_execution_from_tmp_folder.yml

Co-authored-by: ShirleyDenkberg <[email protected]>
@efelmandar @ShirleyDenkberg
Update Packs/CortexResponseAndRemediation/Playbooks/playbook-Suspicio…
306c96c 
…us_execution_from_tmp_folder.yml

Co-authored-by: ShirleyDenkberg <[email protected]>
@efelmandar
Merge branch 'master' into CIAC-11873/XSIAM-PB-Suspicious-execution-f…
7189731 
…rom-tmp-folder
@efelmandar efelmandar requested a review from umishkin February 2, 2025 14:42
umishkin
umishkin reviewed Feb 2, 2025
View reviewed changes
Copy link
Contributor

@umishkin umishkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • you didn't fix all Yarden's comments, please re-review Yarden comments
    • added some other comment

@efelmandar efelmandar merged commit 1dff703 into master Feb 3, 2025
17 checks passed
@efelmandar efelmandar deleted the CIAC-11873/XSIAM-PB-Suspicious-execution-from-tmp-folder branch February 3, 2025 22:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ShirleyDenkberg ShirleyDenkberg ShirleyDenkberg left review comments

@altmannyarden altmannyarden altmannyarden left review comments

@umishkin umishkin umishkin approved these changes

Assignees

@ShirleyDenkberg ShirleyDenkberg

Labels
docs-approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@efelmandar @ShirleyDenkberg @content-bot @altmannyarden @umishkin