udpating from integration test

patel-bhavin · patel-bhavin · commit dc9561dec97a · 2025-02-19T16:29:22.000-08:00
diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml
@@ -14,7 +14,7 @@ data_source:
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
   where Processes.process_path IN("*\\temp\\*")
-  by Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest Processes.user 
+  by Processes.parent_process_name Processes.process_nameProcesses.parent_process Processes.process_path Processes.dest Processes.user 
   | `drop_dm_object_name(Processes)` 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)`
diff --git a/detections/endpoint/windows_security_and_backup_services_stop.yml b/detections/endpoint/windows_security_and_backup_services_stop.yml
@@ -47,7 +47,7 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Known services $param1$ terminated by a potential ransomware on $dest$
+  message: Known services $display_name$ terminated by a potential ransomware on $dest$
   risk_objects:
   - field: dest
     type: system
