22creation_date = " 2020/11/04"
33integration = [" endpoint"
44maturity = " production"
5- updated_date = " 2025/02/03 "
5+ updated_date = " 2025/04/30 "
66
77[transform ]
88[[transform .investigate ]]
@@ -231,14 +231,16 @@ network where host.os.type == "windows" and network.protocol == "dns" and
231231 "www.googleapis.com",
232232 "googleapis.com",
233233 "global.rel.tunnels.api.visualstudio.com",
234- "*.devtunnels.ms") and
234+ "*.devtunnels.ms",
235+ "api.github.com") and
235236
236237 /* Insert noisy false positives here */
237238 not (
238239 (
239240 process.executable : (
240241 "?:\\Program Files\\*.exe",
241242 "?:\\Program Files (x86)\\*.exe",
243+ "?:\\Windows\\system32\\svchost.exe",
242244 "?:\\Windows\\System32\\WWAHost.exe",
243245 "?:\\Windows\\System32\\smartscreen.exe",
244246 "?:\\Windows\\System32\\MicrosoftEdgeCP.exe",
@@ -250,8 +252,11 @@ network where host.os.type == "windows" and network.protocol == "dns" and
250252 "?:\\Users\\*\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe",
251253 "?:\\Users\\*\\AppData\\Local\\Programs\\Microsoft VS Code\\Code.exe",
252254 "?:\\Users\\*\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe",
255+ "?:\\Users\\*\\AppData\\Local\\PowerToys\\PowerToys.exe",
253256 "?:\\Windows\\system32\\mobsync.exe",
254- "?:\\Windows\\SysWOW64\\mobsync.exe"
257+ "?:\\Windows\\SysWOW64\\mobsync.exe",
258+ "?:\\Windows\\System32\\wsl.exe",
259+ "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe"
255260 )
256261 ) or
257262
@@ -295,7 +300,10 @@ network where host.os.type == "windows" and network.protocol == "dns" and
295300 "Slack Technologies, LLC",
296301 "Cisco Systems, Inc.",
297302 "Dropbox, Inc",
298- "Amazon.com Services LLC"))
303+ "Amazon.com Services LLC",
304+ "Island Technology Inc.",
305+ "GitHub, Inc.",
306+ "Red Hat, Inc"))
299307 )
300308'''
301309
0 commit comments