Update rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml

Aegrah · web-flow · commit 447e3213d839 · 2025-12-03T16:13:39.000+01:00
diff --git a/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml b/rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml
@@ -67,7 +67,7 @@ type = "eql"
 query = '''
 sequence by host.id with maxspan=10s
   [process where host.os.type in ("linux", "macos") and event.type == "start" and event.action in ("exec", "ProcessRollup2", "start") and process.name == "node" and process.args == "install"] by process.entity_id
-  [process where host.os.type in ("linux", "macos") and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.parent.name == "node"] by process.parent.entity_id
+  [process where host.os.type in ("linux", "macos") and event.type == "start" and event.action in ("exec", "ProcessRollup2", "start") and process.parent.name == "node"] by process.parent.entity_id
 '''
 
 [[rule.threat]]
