fix: FPs, wrong modifier

rules/windows/builtin/windefend/win_alert_lsass_access.yml

@@ -35,7 +35,7 @@ detection:
             - 'C:\Windows\System32\wbem\WmiPrvSE.exe'
             - 'C:\Windows\SysWOW64\msiexec.exe'
     filter_begins:
-        ProcessName|beginswith:
+        ProcessName|startswith:
             - 'C:\Windows\System32\\DriverStore\'
             - 'C:\WINDOWS\Installer\'
             - 'C:\Program Files\'

rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml

@@ -4,7 +4,7 @@ description: Raw disk access using illegitimate tools, possible defence evasion
 author: Teymur Kheirkhabarov, oscd.community
 status: test
 date: 2019/10/22
-modified: 2022/02/08
+modified: 2022/02/09
 references:
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 tags:
@@ -60,20 +60,16 @@ detection:
     filter_windefender:
         Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\'
         Image|endswith: '\MsMpEng.exe'
-    filter_appdata:
-        Image|contains|all: 
-            - 'C:\Users\'
-            - '\Microsoft\OneDrive\'
-            - '\FileCoAuth.exe'
     filter_programfiles:  # this rule causes so many FPs that we have to do this
         Image|startswith:
             - 'C:\Program Files\'
             - 'C:\Program Files (x86)\'
-    filter_onedrive:
+    filter_appdata:
         Image|contains|all:
             - 'C:\Users\'
             - '\AppData\'
-            - '\Microsoft\OneDrive\'
+        Image|contains:
+            - '\Microsoft\'
     condition: not 1 of filter_*
 fields:
     - ComputerName