splunk
diff --git a/‎detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml‎
Lines changed: 1 addition & 1 deletion b/‎detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎macros/aws_config.yml‎ ‎macros/deprecated/aws_config.yml‎macros/aws_config.yml renamed to macros/deprecated/aws_config.yml b/‎macros/aws_config.yml‎ ‎macros/deprecated/aws_config.yml‎macros/aws_config.yml renamed to macros/deprecated/aws_config.yml
diff --git a/‎macros/aws_description.yml‎ ‎macros/deprecated/aws_description.yml‎macros/aws_description.yml renamed to macros/deprecated/aws_description.yml b/‎macros/aws_description.yml‎ ‎macros/deprecated/aws_description.yml‎macros/aws_description.yml renamed to macros/deprecated/aws_description.yml
diff --git a/‎macros/aws_securityhub_firehose.yml‎ ‎…/deprecated/aws_securityhub_firehose.yml‎macros/aws_securityhub_firehose.yml renamed to macros/deprecated/aws_securityhub_firehose.yml b/‎macros/aws_securityhub_firehose.yml‎ ‎…/deprecated/aws_securityhub_firehose.yml‎macros/aws_securityhub_firehose.yml renamed to macros/deprecated/aws_securityhub_firehose.yml
diff --git a/‎macros/azuread.yml‎ ‎macros/deprecated/azuread.yml‎macros/azuread.yml renamed to macros/deprecated/azuread.yml b/‎macros/azuread.yml‎ ‎macros/deprecated/azuread.yml‎macros/azuread.yml renamed to macros/deprecated/azuread.yml
diff --git a/‎macros/brand_abuse_dns.yml‎ ‎macros/deprecated/brand_abuse_dns.yml‎macros/brand_abuse_dns.yml renamed to macros/deprecated/brand_abuse_dns.yml b/‎macros/brand_abuse_dns.yml‎ ‎macros/deprecated/brand_abuse_dns.yml‎macros/brand_abuse_dns.yml renamed to macros/deprecated/brand_abuse_dns.yml
diff --git a/‎macros/brand_abuse_email.yml‎ ‎macros/deprecated/brand_abuse_email.yml‎macros/brand_abuse_email.yml renamed to macros/deprecated/brand_abuse_email.yml b/‎macros/brand_abuse_email.yml‎ ‎macros/deprecated/brand_abuse_email.yml‎macros/brand_abuse_email.yml renamed to macros/deprecated/brand_abuse_email.yml
diff --git a/‎macros/brand_abuse_web.yml‎ ‎macros/deprecated/brand_abuse_web.yml‎macros/brand_abuse_web.yml renamed to macros/deprecated/brand_abuse_web.yml b/‎macros/brand_abuse_web.yml‎ ‎macros/deprecated/brand_abuse_web.yml‎macros/brand_abuse_web.yml renamed to macros/deprecated/brand_abuse_web.yml
diff --git a/‎…ly_unseen_user_roles_activity_window.yml‎ ‎…ly_unseen_user_roles_activity_window.yml‎macros/cloud_api_calls_from_previously_unseen_user_roles_activity_window.yml renamed to macros/deprecated/cloud_api_calls_from_previously_unseen_user_roles_activity_window.yml b/‎…ly_unseen_user_roles_activity_window.yml‎ ‎…ly_unseen_user_roles_activity_window.yml‎macros/cloud_api_calls_from_previously_unseen_user_roles_activity_window.yml renamed to macros/deprecated/cloud_api_calls_from_previously_unseen_user_roles_activity_window.yml
diff --git a/‎macros/cloudwatch_eks.yml‎ ‎macros/deprecated/cloudwatch_eks.yml‎macros/cloudwatch_eks.yml renamed to macros/deprecated/cloudwatch_eks.yml b/‎macros/cloudwatch_eks.yml‎ ‎macros/deprecated/cloudwatch_eks.yml‎macros/cloudwatch_eks.yml renamed to macros/deprecated/cloudwatch_eks.yml
@@ -8,7 +8,7 @@ type: TTP
 description: The following analytic detects the execution of native .NET binaries
   from non-standard directories within the Windows operating system. It leverages
   Endpoint Detection and Response (EDR) telemetry, comparing process names and original
-  file names against a predefined lookup using the `is_net_windows_file_macro` macro.
+  file names against a predefined lookup "is_net_windows_file".
   This activity is significant because adversaries may move .NET binaries to unconventional
   paths to evade detection and execute malicious code. If confirmed malicious, this
   behavior could allow attackers to execute arbitrary code, escalate privileges, or