WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

[BUG] ESCU - Suspicious Curl Network Connection issue #3796

New issue
New issue
Open
Bug
Open
[BUG] ESCU - Suspicious Curl Network Connection issue#3796
Bug
Assignees
nasbench
Labels
bugSomething isn't working
@JacobOstler

Description

@JacobOstler
JacobOstler
opened on Nov 19, 2025

Describe the bug

This detection is filtering based on the condition Processes.process=s3.amazonaws.com. This will never generate an alert if the datamodel is configured correctly as specified here. If you look at the description for Processes.process you'll see that it's intended to contain the name of the calling process so this would always fail to catch the intended acitivity. Changing this to Processes.process IN("*s3.amazonaws.com*") would resolve this issue.

Expected behavior

An alert/risk score is generated when a URL containing "s3.amazonaws.com" is curled.

App Version:

  • Splunk Cloud
  • Enterprise Security Version: 8.2.2
  • Build: 198157

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions