tweak

Author: defensivedepth

playbook/dev/sigma/category/file_event.yaml

@@ -35,6 +35,7 @@ questions:
     context: |
       Reviewing the process and command line provides additional context. Pivoting off the ProcessGuid
       will show the full process chain leading to the file creation.
+    range: +/-15m
     answer_sources:
       - process_creation
     query: |
@@ -69,7 +70,7 @@ questions:
         condition: selection
       fields:
         - Image
-        - TargetFilename
+        - file.path
 
   - question: What is the historical pattern of file creation by this executable?
     context: |