Update process_creation_susp_7z.yml

rules/windows/process_creation/process_creation_susp_7z.yml

@@ -15,14 +15,15 @@ logsource:
 detection:
     selection_7z:
         Image|endswith:
-            - '7z.exe'
-            - '7za.exe'
-    selection_param:
-        CommandLine|contains|all:
-            - ' -p'
+            - '\7z.exe'
+            - '\7za.exe'
+    selection_password:
+        CommandLine|contains: ' -p'
+    selection_action:
+        CommandLine|contains:
             - ' a '
             - ' u '
-    condition: selection_7z and selection_param
+    condition: all of them
 falsepositives:
     - Command line parameter combinations that contain all included strings
 level: medium