headless_bee

tccontre · tccontre · commit 2d336796fc9e · 2025-02-13T12:49:05.000+01:00
diff --git a/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml b/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml
@@ -9,7 +9,8 @@ description: The following analytic detects an anomaly where a svchost.exe proce
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name != "services.exe" AND Processes.process_name = "svchost.exe" AND Processes.process != unknown
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
+  where Processes.parent_process_name != "services.exe" AND Processes.process_name = "svchost.exe" AND Processes.process != unknown
   by Processes.parent_process_name Processes.parent_process_path Processes.parent_process Processes.process_path Processes.process Processes.original_file_name Processes.dest Processes.user 
   | `drop_dm_object_name(Processes)` 
   | `security_content_ctime(firstTime)` 
