headless_bee

Author: tccontre

detections/endpoint/windows_anonymous_pipe_activity.yml

@@ -10,8 +10,7 @@ data_source:
 - Sysmon EventID 17
 - Sysmon EventID 18
 search: '`sysmon` EventCode IN (17,18) PipeName="*Anonymous Pipe*" NOT( Image IN ("*\\Program Files\\*"))
-  | rename Image as process_name 
-  | stats  min(_time) as firstTime max(_time) as lastTime count by dest user EventCode PipeName signature process_name process_id process_guid EventType 
+  | stats  min(_time) as firstTime max(_time) as lastTime count by dest user EventCode PipeName signature Image EventType 
   | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)`
   | `windows_anonymous_pipe_activity_filter`'
@@ -44,9 +43,7 @@ rba:
   - field: user
     type: user
     score: 30
-  threat_objects:
-  - field: process_name
-    type: process_name
+  threat_objects: []
 tags:
   analytic_story:
   - SnappyBee