Update rules/windows/impact_high_freq_file_renames_by_kernel.toml

Samirbous · terrancedejesus · web-flow · commit 8deb2be98e45 · 2025-10-21T15:57:14.000+01:00
Co-authored-by: Terrance DeJesus &lt;99630311+terrancedejesus@users.noreply.github.com&gt;
diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
@@ -78,7 +78,7 @@ from logs-endpoint.events.file-* metadata _id, _version, _index
 | keep user.id, user.name, file.path, file.name, process.entity_id, Esql.time_window_date_trunc, host.name, host.ip
 
 // filter for same file name dropped in at least 3 unique paths by the System virtual process
-| stats Esql.file_path_count_distinct = COUNT_DISTINCT(file.path),  Esql.file_path_values = VALUES(file.path), Esql.host_ips = values(host.ip) by host.name, user.name, user.id, process.entity_id , file.name, Esql.time_window_date_trunc
+| stats Esql.file_path_count_distinct = COUNT_DISTINCT(file.path),  Esql.file_path_values = VALUES(file.path), Esql.host_ip_values = values(host.ip) by host.name, user.name, user.id, process.entity_id , file.name, Esql.time_window_date_trunc
 | where Esql.file_path_count_distinct >= 3
 '''
 
