Update windows_powershell_process_with_malicious_string.yml

updating to new yml to pass testing

Author: nterl0k

detections/endpoint/windows_powershell_process_with_malicious_string.yml

@@ -37,25 +37,26 @@ drilldown_searches:
   search: '| from datamodel:Endpoint.Processes | search dest=$dest|s$ process_name=$process_name$ "*$match$*"'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: The user $user$ ran a known malicious PowerShell string matching *$match$* on $dest$
+  risk_objects:
+  - field: user
+    type: user
+    score: 70
+  - field: dest
+    type: system
+    score: 70
+  threat_objects:
+  - field: process_name
+    type: process_name
 tags:
   analytic_story: 
   - Malicious PowerShell
   asset_type: Endpoint
-  confidence: 90
-  impact: 80
-  message: The user $user$ ran a known malicious PowerShell string matching *$match$* on $dest$
+  message: 
   mitre_attack_id: 
   - T1059
   - T1059.001
-  observable: 
-  - name: dest
-    type: Hostname
-    role:
-    - Victim
-  - name: user
-    type: User
-    role:
-    - Victim
   product: 
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -66,7 +67,6 @@ tags:
   - Processes.process_name 
   - Processes.process
   - Processes.parent_process_name
-  risk_score: 72
   security_domain: threat
 tests:
 - name: True Positive Test