Skip to content

Bug Fix - Suspicious Process Executed From Container File#4161

Open
patel-bhavin wants to merge 4 commits into
developfrom
harendra_bug
Open

Bug Fix - Suspicious Process Executed From Container File#4161
patel-bhavin wants to merge 4 commits into
developfrom
harendra_bug

Conversation

@patel-bhavin

@patel-bhavin patel-bhavin commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

This PR fixes a field-mapping issue in the suspicious process executed from container file detection.

The detection previously extracted the file launched from inside the archive into process_name, which could overwrite or conflict with the CIM process_name field. Since process_name should represent the actual process image, such as wscript.exe, this update renames the extracted archive member field to container_file_name.

This keeps CIM process fields accurate while still capturing the suspicious file executed from the compressed container.

Updated behavior:

process_name = actual executing process
file_name = compressed container file
container_file_name = file launched from inside the container

Slack - https://splunk.slack.com/archives/C9RE1GUSZ/p1783544914063179

@patel-bhavin patel-bhavin added this to the V6.3.0 milestone Jul 9, 2026
nasbench
nasbench previously approved these changes Jul 9, 2026
Comment thread detections/endpoint/suspicious_process_executed_from_container_file.yml Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants