Apply suggestions from code review

nasbench · web-flow · commit 662b542299f9 · 2025-01-07T17:44:25.000+01:00
diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml
@@ -9,6 +9,7 @@ description: The following analytic detects the use of NetExec (formally Crackma
 data_source: 
 - Windows Security Event ID 4688
 - Sysmon Event ID 1
+- CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process_name IN ("nxc.exe") OR Processes.original_file_name IN ("nxc.exe") OR (Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND ((Processes.process = "* -p *" AND Processes.process = "* -u *") OR Processes.process IN ("* -x *","* -M *","* --*"))) BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name  
 |`drop_dm_object_name(Processes)`
 | `security_content_ctime(firstTime)`
