11[metadata ]
22creation_date = " 2025/09/01"
3- integration = [" endpoint" " windows" " sentinel_one_cloud_funnel" , " crowdstrike "
3+ integration = [" endpoint" " windows" " sentinel_one_cloud_funnel"
44maturity = " production"
55updated_date = " 2025/09/01"
66
@@ -16,7 +16,6 @@ index = [
1616 " endgame-*"
1717 " logs-endpoint.events.network-*"
1818 " logs-sentinel_one_cloud_funnel.*"
19- " logs-crowdstrike.fdr*"
2019 " logs-windows.forwarded*"
2120 " logs-windows.sysmon_operational-*"
2221 " winlogbeat-*"
@@ -67,7 +66,6 @@ tags = [
6766 " Data Source: Elastic Endgame"
6867 " Data Source: Elastic Defend"
6968 " Data Source: SentinelOne"
70- " Data Source: Crowdstrike"
7169 " Data Source: Sysmon"
7270]
7371timestamp_override = " event.ingested"
@@ -80,11 +78,9 @@ network where host.os.type == "windows" and dns.question.name != null and
8078 "bitsadmin.exe", "InstallUtil.exe", "RegAsm.exe", "vbc.exe", "RegSvcs.exe", "python.exe", "regsvr32.exe", "dllhost.exe",
8179 "node.exe", "javaw.exe", "java.exe", "*.pif", "*.com") or
8280
83- ?process.code_signature.exists == false or ?process.code_signature.trused == false or
84-
8581 ?process.code_signature.subject_name in ("AUTOIT CONSULTING LTD", "AutoIt Consulting Ltd", "OpenJS Foundation", "Python Software Foundation") or
8682
87- ? process.executable : ("?:\\Users\\*.exe", "", "?:\\ProgramData\\*.exe", "?\\Device\\HarddiskVolume?\\Users\\*.exe", "?\\Device\\HarddiskVolume?\\ProgramData\\*.exe" )
83+ ( process.executable : ("?:\\Users\\*.exe", "", "?:\\ProgramData\\*.exe") and ?process.code_signature.trusted != true )
8884 ) and
8985 dns.question.name : (
9086 // Major LLM APIs
@@ -128,7 +124,7 @@ network where host.os.type == "windows" and dns.question.name != null and
128124 "chat.deepseek.com"
129125 ) and
130126
131- not ? process.executable : (
127+ not process.executable : (
132128 "?:\\Program Files\\*.exe",
133129 "?:\\Program Files (x86)\\*.exe",
134130 "?:\\Windows\\System32\\svchost.exe",
0 commit comments