diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index c055850294..1d636ec76c 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -22,7 +22,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", "*\\temp\\*" , "*\\PerfLogs\\*","*\\windows\\tasks\\*", "*:\\programdata\\*") by - Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest + Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_path Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection diff --git a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml index 27d9a6ccb8..d8050741e3 100644 --- a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml +++ b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml @@ -65,8 +65,3 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog -- name: True Positive Test - CrowdStrike - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log - source: crowdstrike - sourcetype: crowdstrike:events:sensor