From 37af110aa28aebc3d4be001c2974fee880e52975 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 25 Oct 2022 23:48:08 +0200
Subject: [PATCH] Update proc_creation_win_susp_office_token_search.yml

---
 .../proc_creation_win_susp_office_token_search.yml          | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml b/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml
index 2a971b83b..86e9da2fe 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml
@@ -1,7 +1,7 @@
 title: Suspicious Office Token Search Via CLI
 id: 6d3a3952-6530-44a3-8554-cf17c116c615
 status: experimental
-description: Detects possible search for office tokens via CLI by looking for the string "eyJ0eX"
+description: Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.
 author: Nasreddine Bencherchali
 references:
     - https://mrd0x.com/stealing-tokens-from-office-applications/
@@ -14,8 +14,10 @@ logsource:
     product: windows
 detection:
     selection:
+        # Comment out the line below and use it instead of the shorter CommandLine if you experience a lot of FP
+        #CommandLine|contains: 'eyJ0eXAiOi' # {"typ":
         CommandLine|contains: 'eyJ0eX'
     condition: selection
 falsepositives:
-    - Rare legitimate command-lines containing the string mentioned in the command-line
+    - Legitimate command-lines containing the string mentioned in the command-line
 level: medium