fix: final fp

YamatoSecurity · Jan 18, 2023 · dd99875 · dd99875
1 parent 0d24219
commit dd99875
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 4 deletions.
diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv
@@ -50,3 +50,5 @@ b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;msedge\.exe
 b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;firefox\.exe 
 b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\.exe
 65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;powershell\.exe
+a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: DESKTOP-A8CALR3
+a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: WIN-06FB45IHQ35
diff --git a/rules/windows/builtin/system/win_system_eventlog_cleared.yml b/rules/windows/builtin/system/win_system_eventlog_cleared.yml
@@ -25,14 +25,14 @@ logsource:
 detection:
     selection:
         EventID: 104
-        Provider_Name: Microsoft-Windows-Eventlog
-    filter_covered_channels:
+        Provider_Name: 'Microsoft-Windows-Eventlog'
+    filter:
         # The channels below are already covered by the rule 100ef69e-3327-481c-8e5c-6d80d9507556
         Channel:
             - 'System'
             - 'Security'
             - 'Application'
-    condition: selection and not 1 of filter_*
+    condition: selection and not filter
 falsepositives:
     - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
     - System provisioning (system reset before the golden image creation)

diff --git a/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml
@@ -21,7 +21,7 @@ logsource:
 detection:
     selection:
         EventID: 104
-        Provider_Name: Microsoft-Windows-Eventlog
+        Provider_Name: 'Microsoft-Windows-Eventlog'
         Channel:
             - 'System'
             - 'Security'