From 4bdc286a024bc4bccfb1cf52273c0037e7f22cf0 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 1 Nov 2022 11:10:07 +0100
Subject: [PATCH] Update
 rules/windows/image_load/image_load_susp_python_image_load.yml

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 .../windows/image_load/image_load_susp_python_image_load.yml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml
index 65dcf3eb4..7b2947e87 100644
--- a/rules/windows/image_load/image_load_susp_python_image_load.yml
+++ b/rules/windows/image_load/image_load_susp_python_image_load.yml
@@ -25,11 +25,8 @@ detection:
             - 'C:\Program Files (x86)\'
             - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment
     filter_aurora:
-        # Example:
-        #   ImageLoaded: C:\ProgramData\Anaconda3\DLLs\_queue.pyd
-        #   ImageName: \Device\HarddiskVolume5\ProgramData\Anaconda3\DLLs\_queue.pyd
         Provider_Name: Microsoft-Windows-Kernel-Process
-        ImageName|contains: '\ProgramData\Anaconda3\DLLs\'
+        Image: null
     condition: selection and not 1 of filter_*
 fields:
     - Description