Scheduled Task Initiation on Remote Endpoint - Update Analytics

Question

Scheduled Task Initiation on Remote Endpoint - Update Analytics

Badoodish opened this issue 9 months ago · 2 comments

One of the current filters: Processes.process=*/s* creates false positives because it matches on the /sc switch/argument for the schtasks.exe binary.
Recommend adding a space character like so: Processes.process=*/s *

Answer 1 · 2024-07-23T22:24:40.000Z

Thank you @Badoodish : We have fixed this SPL and will ship an updated version shortly! appreciate the details in here.

Answer 2 · 2024-08-01T20:24:22.000Z

shipped in 4.37.0! Thank you!