Skip to content

Commit f60a0be

Browse files
committed
Update windows_vssvc_process_accessing_defender_engine.yml
1 parent 0e5f767 commit f60a0be

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

detections/endpoint/windows_vssvc_process_accessing_defender_engine.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,8 @@ data_source:
1616
search: |-
1717
`sysmon`
1818
EventCode=10
19-
TargetImage="\\MsMpEng.exe"
20-
SourceImage="\\vssvc.exe"
19+
TargetImage="*\\MsMpEng.exe"
20+
SourceImage="*\\vssvc.exe"
2121
| stats count min(_time) as firstTime
2222
max(_time) as lastTime
2323
by EventID GrantedAccess Guid Opcode ProcessID

0 commit comments

Comments
 (0)