Two detections have broken search syntax.
Affected detections:
Title: Sunburst Correlation DLL and Network Event
Issue: Leading pipe
| (`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com)
| eventstats dc(EventCode) AS dc_events
| where dc_events=2
| stats count min(_time) as firstTime max(_time) as lastTime
BY Image ImageLoaded dest
loaded_file loaded_file_path original_file_name
process_exec process_guid process_hash
process_id process_name process_path
service_dll_signature_exists service_dll_signature_verified signature
signature_id user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `sunburst_correlation_dll_and_network_event_filter`
Title: Windows DLL Side-Loading In Calc
Issue: Leading quote
'`sysmon`
EventCode=7
Image="*\\calc.exe"
ImageLoaded="*\\WindowsCodecs.dll"
NOT Image IN ("*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*")
NOT ImageLoaded IN("*:\\Windows\\System32\\*", "*:\\Windows\\SysWOW64\\*", "*:\\Windows\\WinSXS\\*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
by Image ImageLoaded dest loaded_file loaded_file_path original_file_name
process_exec process_guid process_hash process_id process_name
process_path service_dll_signature_exists service_dll_signature_verified
signature signature_id user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_dll_side_loading_in_calc_filter`
Two detections have broken search syntax.
Affected detections:
Title: Sunburst Correlation DLL and Network Event
Issue: Leading pipe
Title: Windows DLL Side-Loading In Calc
Issue: Leading quote