Merge pull request #3651 from PJS-Cyber/patch-1

Update windows_wmi_process_and_service_list.yml

Author: patel-bhavin

detections/endpoint/windows_wmi_process_and_service_list.yml

@@ -1,7 +1,7 @@
 name: Windows WMI Process And Service List
 id: ef3c5ef2-3f6d-4087-aa75-49bf746dc907
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-08-25'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -18,14 +18,19 @@ data_source:
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process
-  IN ("*process list*", "*service list*") by Processes.action Processes.dest Processes.original_file_name
+  as lastTime from datamodel=Endpoint.Processes where 
+  `process_wmic` 
+  Processes.process IN ("*process*", "*service*") 
+  Processes.process = "*list*"
+  by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
   Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
   Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
   Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_wmi_process_and_service_list_filter`'
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_wmi_process_and_service_list_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,