Update impact_high_freq_file_renames_by_kernel.toml

Samirbous · web-flow · commit 9a360c24c9e0 · 2025-10-21T15:13:33.000+01:00
diff --git a/rules/windows/impact_high_freq_file_renames_by_kernel.toml b/rules/windows/impact_high_freq_file_renames_by_kernel.toml
@@ -75,10 +75,10 @@ from logs-endpoint.events.file-* metadata _id, _version, _index
 // truncate the timestamp to a 60-second window
 | eval Esql.time_window_date_trunc = date_trunc(60 seconds, @timestamp)
 
-| keep file.path, file.name, process.entity_id, Esql.time_window_date_trunc, host.name, host.ip
+| keep user.id, user.name, file.path, file.name, process.entity_id, Esql.time_window_date_trunc, host.name, host.ip
 
 // filter for same file name dropped in at least 3 unique paths by the System virtual process
-| stats Esql.file_path_count_distinct = COUNT_DISTINCT(file.path),  Esql.file_path_values = VALUES(file.path), Esql.host_ips = values(host.ip) by host.name, process.entity_id , file.name, Esql.time_window_date_trunc
+| stats Esql.file_path_count_distinct = COUNT_DISTINCT(file.path),  Esql.file_path_values = VALUES(file.path), Esql.host_ips = values(host.ip) by host.name, user.name, user.id, process.entity_id , file.name, Esql.time_window_date_trunc
 | where Esql.file_path_count_distinct >= 3
 '''
 
