False Positive Alerts generated for custom runtime rule created using proc.cmdline string

False Positive Alerts generated for custom runtime rule created using proc.cmdline string

2436
Created On 08/12/23 08:04 AM - Last Modified 09/04/24 18:55 PM


Symptom


A custom runtime rule has been created to address false alerts generated. The rule has been constructed using the following string: 
proc.path = "/opt/java/openjdk/bin/java" and proc.cmdline in ("/home/jenkins/agent", "http://jenkins:8080/")
 

Environment


CWP selfhosted 
version: 30.00.140

Cause


proc.cmdline is expecting a string not a list of strings.

Resolution


Problem was solved adding this syntax:
proc.name = "java" and (proc.cmdline contains "http://jenkins:8080/" and proc.cmdline contains "/home/jenkins/agent")
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g22vCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language