Severity:ERROR AND Channel:Security AND Category:File System

  • Severity:ERROR AND Channel:Security AND Category:File System

Configuration

query

Severity:ERROR AND Channel:Security AND Category:File System NOT ProcessName:C:\\Program Files (x86)\\Sophos\\Sophos Anti-Virus\\SavService.exe NOT ProcessName:C:\Windows\System32\lsass.exe AND NOT AccessMask:0x10* AND NOT AccessMask:0x12* AND NOT AccessMask:0xc0080 AND NOT AccessMask:0x80* AND NOT AccessMask:0x16* AND NOT AccessMask:0x20*

config

Key | Value — | — type | aggregation-v1 query | Severity:ERROR AND Channel:Security AND Category:File System NOT ProcessName:C:\\Program Files (x86)\\Sophos\\Sophos Anti-Virus\\SavService.exe NOT ProcessName:C:\Windows\System32\lsass.exe AND NOT AccessMask:0x10* AND NOT AccessMask:0x12* AND NOT AccessMask:0xc0080 AND NOT AccessMask:0x80* AND NOT AccessMask:0x16* AND NOT AccessMask:0x20* streams | [5f74fe0891d2ba1b645adb8d] conditions | {expression:null} search_within_ms | 3600000 execute_every_ms | 3600000

Windows File Modification Monitoring

Ransomware activity detection.

notes

Last modified December 17, 2020