Skip to content

Commit 43b9a93

Browse files
patel-bhavinpatel-bhavin
authored
user_id
1 parent 2eb0c46 commit 43b9a93

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

detections/endpoint/windows_service_created_with_suspicious_service_name.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ search: |-
1212
`wineventlog_system` EventCode=7045
1313
| stats values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID
1414
| eval process_name = mvindex(split(process,"\\"),-1)
15-
| rename Computer as dest, ServiceName as object_name, ServiceType as object_type, UserID as user
15+
| rename Computer as dest, ServiceName as object_name, ServiceType as object_type, UserID as user_id
1616
| lookup windows_suspicious_services service_name as object_name
1717
| where isnotnull(tool_name)
1818
| `security_content_ctime(firstTime)`
@@ -44,7 +44,7 @@ rba:
4444
- field: dest
4545
type: system
4646
score: 75
47-
- field: user
47+
- field: user_id
4848
type: user
4949
score: 75
5050
threat_objects:

0 commit comments

Comments
 (0)