Merge pull request #3771 from SigmaHQ/aurora-false-positive-fixing

fix: FPs with Important Scheduled Task Deleted

rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml

@@ -12,6 +12,7 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701
 author: Nasreddine Bencherchali
 date: 2022/12/05
+modified: 2022/12/09
 tags:
     - attack.execution
     - attack.privilege_escalation
@@ -35,7 +36,9 @@ detection:
             - '\Windows\WindowsUpdate\'
             - '\Windows\UpdateOrchestrator\'
             - '\Windows\ExploitGuard'
-    condition: selection
+    filter:
+        SubjectUserName|endswith: '$'  # False positives during upgrades of Defender, where its tasks get removed and added
+    condition: selection and not filter
 falsepositives:
     - Unknown
 level: high