Changed rule

* Adapted false positive notice to observation * Decreased level
2024-11-06 17:35:19 +00:00 · 2019-05-09 23:25:23 +02:00 · 2019-05-09 23:25:23 +02:00 · e60fe1f46d
commit e60fe1f46d
parent 3dd76a9c5e
1 changed files with 4 additions and 4 deletions
--- a/rules/windows/process_creation/win_proc_wrong_parent.yml
+++ b/rules/windows/process_creation/win_proc_wrong_parent.yml
@ -28,9 +28,9 @@ detection:
            - '*\winlogon.exe'
    filter:
        ParentImage:
-            - '*\System32\*'
-            - '*\SysWOW64\*'
+            - '*\System32\\*'
+            - '*\SysWOW64\\*'
    condition: selection and not filter
 falsepositives:
-    - Unknown please report back
-level: high
+    - Some security products seem to spawn these
+level: low