From 9f2ab4e0475f4e77a6595c2640be9bb3e6e6ee6f Mon Sep 17 00:00:00 2001
From: Feathers <93973834+ionsor@users.noreply.github.com>
Date: Wed, 17 Aug 2022 18:43:47 +0200
Subject: [PATCH] Update net_connection_win_dead_drop_resolvers.yml

added few more apps to which are triggering false positives and comments to identify the process with the application
---
 .../net_connection_win_dead_drop_resolvers.yml           | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml
index 7f13585e3..a43fd9605 100644
--- a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml
+++ b/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml
@@ -19,7 +19,7 @@ detection:
       - 'youtube.com'
       - 'technet.microsoft.com'
       - 'facebook.com'
-      - 'cloudflare.com'
+      - '.cloudflare.com'
       - 'docs.google.com'
       - 'steamcommunity.com'
       - 'reddit.com'
@@ -42,8 +42,11 @@ detection:
       - '\firefox.exe'
   filter_others:
       Image|endswith: 
-      - '\MsMpEng.exe'
-      - '\MsSense.exe'
+      - '\MsMpEng.exe' #Microsoft Defender executable
+      - '\MsSense.exe' #Windows Defender Advanced Threat Protection Service Executable
+      - '\PRTG Probe.exe' #Paessler's PRTG Network Monitor
+      - '\Engine.exe' #Process from qlik.com app
+      - '\msedgewebview2.exe' # related to Edge browser
   condition: selection and not 1 of filter*
 falsepositives:
   - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender.