From a00f7f19a14b58ab9ca98f6a4215a3ca9eb1932a Mon Sep 17 00:00:00 2001
From: Sander Wiebing <45387038+SanWieb@users.noreply.github.com>
Date: Fri, 29 May 2020 16:25:54 +0200
Subject: [PATCH] Add tagg Endswith

Prevent the trigger of {}.exe.log
---
 rules/windows/sysmon/sysmon_creation_system_file.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/sysmon/sysmon_creation_system_file.yml b/rules/windows/sysmon/sysmon_creation_system_file.yml
index f322669cc..9f8143c8a 100644
--- a/rules/windows/sysmon/sysmon_creation_system_file.yml
+++ b/rules/windows/sysmon/sysmon_creation_system_file.yml
@@ -15,7 +15,7 @@ logsource:
 detection:
     selection:
         EventID: 11
-        TargetFilename:
+        TargetFilename|endswith:
             - '*\svchost.exe'
             - '*\rundll32.exe'
             - '*\services.exe'