Skip to content

Commit ef25eda

Browse files
ljstellaljstella
committed
Message formatting changes
1 parent 50fff2d commit ef25eda

File tree

2 files changed

+6
-5
lines changed

2 files changed

+6
-5
lines changed

detections/endpoint/linux_suspicious_react_or_next_js_child_process.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -122,7 +122,8 @@ drilldown_searches:
122122
earliest_offset: $info_min_time$
123123
latest_offset: $info_max_time$
124124
- name: View risk events for the last 7 days for - "$dest$"
125-
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
125+
search:
126+
'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
126127
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
127128
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
128129
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
@@ -131,7 +132,7 @@ drilldown_searches:
131132
earliest_offset: $info_min_time$
132133
latest_offset: $info_max_time$
133134
rba:
134-
message: |
135+
message:
135136
A Node-based server process ($parent_process_name$) on Linux spawned the
136137
child process $process_name$ with command-line $process$ on host $dest$ by user $user$, which may
137138
indicate remote code execution via React Server Components (CVE-2025-55182 /

detections/endpoint/windows_suspicious_react_or_next_js_child_process.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,8 @@ drilldown_searches:
113113
earliest_offset: $info_min_time$
114114
latest_offset: $info_max_time$
115115
- name: View risk events for the last 7 days for - "$dest$"
116-
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
116+
search:
117+
'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
117118
starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
118119
values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
119120
as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
@@ -122,8 +123,7 @@ drilldown_searches:
122123
earliest_offset: $info_min_time$
123124
latest_offset: $info_max_time$
124125
rba:
125-
message: |
126-
A Node-based server process ($parent_process_name$) spawned the child
126+
message: A Node-based server process ($parent_process_name$) spawned the child
127127
process $process_name$ with command-line $process$ on host $dest$ by user $user$, which may indicate
128128
remote code execution via React Server Components (CVE-2025-55182 /
129129
React2Shell) or abuse of a similar Node.js RCE vector.

0 commit comments

Comments
 (0)