From b5d6f288283837f69915b09f50d07d9fbde7af38 Mon Sep 17 00:00:00 2001 From: James Smith Date: Thu, 31 Jul 2025 21:02:57 +1000 Subject: [PATCH] Update hosts_file_modification.yaml --- custom_analytic_detections/hosts_file_modification.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/custom_analytic_detections/hosts_file_modification.yaml b/custom_analytic_detections/hosts_file_modification.yaml index 8d36935..a404065 100644 --- a/custom_analytic_detections/hosts_file_modification.yaml +++ b/custom_analytic_detections/hosts_file_modification.yaml @@ -6,8 +6,9 @@ level: 0 inputType: GPFSEvent tags: snapshotFiles: [] -filter: $event.isModified == 1 AND - $event.path ==[cd] "/private/etc/hosts" +filter: $event.type IN {0, 1, 3, 4} AND + ($event.path MATCHES[cd] "/private/etc/hosts" OR + $event.path MATCHES[cd] "/etc/hosts") actions: - name: Log context: []