Update defense_evasion_process_termination_followed_by_deletion.toml

Samirbous · Samirbous · commit 54eba763c5e8 · 2025-12-11T17:27:41.000Z
diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/12/11"
 
 [transform]
 [[transform.osquery]]
@@ -42,10 +42,10 @@ from = "now-9m"
 index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Process Termination followed by Deletion"
+name = "Deprecated - Process Termination followed by Deletion"
 note = """## Triage and analysis
 
-### Investigating Process Termination followed by Deletion
+### Investigating Deprecated - Process Termination followed by Deletion
 
 This rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.
 
