Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml

Samirbous · Samirbous · commit 3decbd4cf620 · 2025-11-26T17:37:28.000Z
diff --git a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml
@@ -96,13 +96,13 @@ tags = [
   "Resources: Investigation Guide",
   "Data Source: Crowdstrike",
   "Data Source: Elastic Defend",
+  "Data Source: Elastic Endgame",
   "Data Source: Windows Security Event Logs",
   "Data Source: Microsoft Defender for Endpoint",
   "Data Source: Sysmon",
   "Data Source: SentinelOne",
   "Data Source: Crowdstrike",
   "Data Source: Auditd Manager",
-  "Data Source: Elastic Endgame",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
@@ -118,7 +118,7 @@ process where event.type == "start" and
     process.name in ("curl", "wget", "curl.exe", "wget.exe")
   )
 ) and
- not process.command_line like ("*127.0.0.1*", "*localhost*") 
+ not process.command_line like ("*127.0.0.1*", "*localhost*")
 '''
 
 [[rule.threat]]
