Skip to content

Commit 7c64938

Browse files
AegrahSamirbous
Aegrah
and
Samirbous
authored
Update rules/cross-platform/credential_access_gitleaks_execution.toml
Co-authored-by: Samirbous <[email protected]>
1 parent 4c19cd7 commit 7c64938

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

rules/cross-platform/credential_access_gitleaks_execution.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ tags = [
9191
timestamp_override = "event.ingested"
9292
type = "eql"
9393
query = '''
94-
process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
94+
process where event.type == "start" and event.action like ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started", "Process Create*") and
9595
process.name : ("gitleaks.exe", "gitleaks")
9696
'''
9797

0 commit comments

Comments
 (0)