From 7287a46f2fb2ea143eb7272e57d292d86feeba1a Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Tue, 27 Jul 2021 10:05:57 +0200
Subject: [PATCH] Tune false positive

---
 rules/windows/registry_event/sysmon_taskcache_entry.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/registry_event/sysmon_taskcache_entry.yml b/rules/windows/registry_event/sysmon_taskcache_entry.yml
index 03465933f..a4b72df0d 100644
--- a/rules/windows/registry_event/sysmon_taskcache_entry.yml
+++ b/rules/windows/registry_event/sysmon_taskcache_entry.yml
@@ -6,6 +6,7 @@ tags:
   - attack.t1053
   - attack.t1053.005
 date: 2021/06/18
+modified: 2021/07/27
 references:
   - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
 author: Syed Hasan (@syedhasan009)
@@ -17,5 +18,6 @@ logsource:
   product: windows
 detection:
   selection:
+    EventType: SetValue
     TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
   condition: selection