
Summary
The OpenCanary - SMB File Open Request detection rule is designed to monitor and identify file open requests made through the SMB (Server Message Block) protocol on OpenCanary nodes. It captures instances where SMB services are triggered in potentially unauthorized ways, serving as an early warning mechanism for lateral movements or data collection activities that align with the tactics and techniques outlined in the MITRE ATT&CK framework, specifically T1021 (Remote Services) and T1005 (Data from Local System). The rule primarily utilizes logs with a specific logtype (5000) to filter and analyze relevant requests, allowing security professionals to detect suspicious activity while understanding that false positives are unlikely. The rule's high severity level emphasizes the critical nature of monitoring SMB requests, which may signify an active threat or compromise.
Categories
- Network
- Application
- Endpoint
Data Sources
- Application Log
- Network Traffic
Created: 2024-03-08