Suspicious file access
Last updated on:
In this page
About the rule
Rule Type
Advanced
Rule Description
Multiple failed attempts to access a single file are followed by a file modification, made by the same user.
Severity
Critical
Rule Requirement
Criteria
Action1:
actionname = "Failed file access"
| timewindow 5m
| groupby USERNAME
| groupby OBJECTNAME having COUNT >= 3
Action2:
actionname = "File modified" AND USERNAME = Action1.USERNAME AND OBJECTNAME = Action1.OBJECTNAME
sequence:Action1 followedby Action2 within 5m
select Action1.timewindow.HOSTNAME,Action1.timewindow.MESSAGE,Action1.timewindow.USERNAME,Action1.timewindow.DOMAIN,Action1.timewindow.OBJECTNAME,Action1.timewindow.PROCESSNAME,Action1.timewindow.ACCESSLIST,Action1.timewindow.FILETYPE,Action2.HOSTNAME,Action2.MESSAGE,Action2.USERNAME,Action2.DOMAIN,Action2.OBJECTNAME,Action2.PROCESSNAME,Action2.ACCESSLIST,Action2.FILETYPE
Detection
Execution Mode
realtime
Log Sources
Windows
