Skip to content

Commit 288178b

Browse files
MikaayensonSamirbous
Mikaayenson
and
Samirbous
authored
Update rules/cross-platform/collection_genai_process_sensitive_file_access.toml
Co-authored-by: Samirbous <[email protected]>
1 parent 384ea21 commit 288178b

File tree

1 file changed

+3
-20
lines changed

1 file changed

+3
-20
lines changed

rules/cross-platform/collection_genai_process_sensitive_file_access.toml

Lines changed: 3 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -80,26 +80,9 @@ tags = [
8080
timestamp_override = "event.ingested"
8181
type = "eql"
8282
query = '''
83-
sequence by process.entity_id with maxspan=5m
84-
[process where event.type == "start" and event.action in ("exec", "executed", "process_started", "start", "ProcessRollup2") and
85-
86-
// GenAI-related processes: well-known GenAI tools/IDEs/frameworks
87-
(
88-
process.name in ("ollama.exe", "ollama", "textgen.exe", "textgen", "lmstudio.exe", "lmstudio", "claude.exe", "claude", "cursor.exe", "cursor", "copilot.exe", "copilot") or
89-
90-
// Node-related processes with GenAI indicators in command line
91-
(process.name in ("node.exe", "node", "deno.exe", "deno") and process.command_line like~ ("*ollama*", "*mcp*", "*langchain*", "*gpt*", "*claude*", "*copilot*", "*cursor*", "*gemini*", "*genaiscript*", "*grok*", "*qwen*")) or
92-
93-
// Python processes ONLY when clearly GenAI-related
94-
(process.name like "python*" and process.command_line like~ ("*ollama*", "*mcp*", "*langchain*", "*gpt*", "*claude*", "*copilot*", "*cursor*", "*gemini*", "*genaiscript*", "*grok*", "*qwen*")) or
95-
96-
// GenAI frameworks and tools via command line
97-
process.command_line like~ ("*ollama*", "*textgen*", "*lmstudio*", "*mcp*", "*langchain*", "*autogpt*", "*babyagi*", "*agentgpt*", "*crewai*", "*semantic*", "*llama*", "*haystack*", "*transformers*", "*gpt*", "*claude*", "*copilot*", "*cursor*", "*gemini*", "*genaiscript*", "*grok*", "*qwen*", "*openai*", "*anthropic*", "*cohere*", "*mistral*", "*perplexity*", "*replicate*", "*huggingface*" )
98-
)
99-
]
100-
[file where (event.action == "open" or event.action == "modification") and event.outcome == "success" and
101-
not (process.name like "claude*" and file.path like "?:\\Users\\*\\AppData\\Roaming\\Claude\\Local State")
102-
]
83+
file where event.action == "open" and event.outcome == "success" and
84+
process.name in ("ollama.exe", "ollama", "textgen.exe", "textgen", "lmstudio.exe", "lmstudio", "claude.exe", "claude", "cursor.exe", "cursor", "copilot.exe", "copilot") and
85+
not (process.name in ("claude.exe", "claude") and file.path like "?:\\Users\\*\\AppData\\Roaming\\Claude\\Local State")
10386
'''
10487

10588
[[rule.threat]]

0 commit comments

Comments
 (0)