sysmon eventid 3: filter on outgoing connections (initiated: true) to avoid false positives

2019-09-25 11:11:22 -04:00
parent 7b8b1db241
commit 4c54e8322a
7 changed files with 9 additions and 2 deletions
@@ -14,6 +14,7 @@ logsource:
 detection:
    selection:
        EventID: 3
+        Initiated: 'true'
        DestinationHostname: 
            - '*.github.com'
            - '*.githubusercontent.com'