Update example inspector configuration file

a6c2e0d7 · Pavel Kácha · 52fcdf2a · a6c2e0d7
Commit a6c2e0d7 authored 3 years ago by Pavel Kácha
--- a/conf/mentat-inspector.py.conf
+++ b/conf/mentat-inspector.py.conf
@@ -36,7 +36,7 @@
        },
        {
            "name": "Assign class - attempt-login-ssh",
-            "rule": "Category in ['Attempt.Login'] and (Target.Proto in ['ssh'] or Source.Proto in ['ssh'] or Target.Port in [22])",
+            "rule": "Category in ['Attempt.Login', 'Intrusion.UserCompromise'] and (Target.Proto in ['ssh'] or Source.Proto in ['ssh'] or Target.Port in [22])",
            "actions": [
                {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "attempt-login-ssh", "overwrite": false} },
                {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }
@@ -124,7 +124,7 @@
        },
        {
            "name": "Assign class - vulnerable-config-netbios",
-            "rule": "Category in ['Vulnerable.Config'] and (Source.Proto in ['netbios-ns'] or Source.Port in [137])",
+            "rule": "Category in ['Vulnerable.Config'] and (Source.Proto in ['netbios-ns', 'netbios-dgm', 'netbios-ssn'] or Source.Port in [137, 138, 139])",
            "actions": [
                {"action": "tag", "args": {"path": "_Mentat.EventClass", "value": "vulnerable-config-netbios", "overwrite": false} },
                {"action": "tag", "args": {"path": "_Mentat.EventSeverity", "value": "medium", "overwrite": false} }