From 8944ccea04c6548541cef62b84b5d1728d3f2c7e Mon Sep 17 00:00:00 2001
From: wagga40 <6437862+wagga40@users.noreply.github.com>
Date: Thu, 13 May 2021 06:19:04 +0200
Subject: [PATCH] Modified some field values for case sensitive backends (SQL)

---
 .../sysmon_alternate_powershell_hosts_moduleload.yml          | 4 ++--
 .../image_load/sysmon_powershell_execution_moduleload.yml     | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
index 63f5efe97..da11d28d9 100644
--- a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
+++ b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml
@@ -14,8 +14,8 @@ logsource:
     service: image_load
 detection:
     selection:
-        Description: 'system.management.automation'
-        ImageLoaded|contains: 'system.management.automation'
+        Description: 'System.Management.Automation'
+        ImageLoaded|contains: 'System.Management.Automation'
     filter:
         Image|endswith: '\powershell.exe'
     condition: selection and not filter
diff --git a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
index b0d0303f9..bb3cbec63 100755
--- a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
+++ b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml
@@ -16,8 +16,8 @@ logsource:
     product: windows
 detection:
     selection: 
-        Description: 'system.management.automation'
-        ImageLoaded|contains: 'system.management.automation'
+        Description: 'System.Management.Automation'
+        ImageLoaded|contains: 'System.Management.Automation'
     condition: selection
 fields:
     - ComputerName