From 356ab98ada7cf220183c42519da6090155634c29 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 9 Dec 2022 12:55:41 +0100
Subject: [PATCH] fix: FPs with Important Scheduled Task Deleted

---
 .../security/win_security_susp_scheduled_task_delete.yml     | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml
index b19494759..78b60d3fe 100644
--- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml
+++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml
@@ -12,6 +12,7 @@ references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701
 author: Nasreddine Bencherchali
 date: 2022/12/05
+modified: 2022/12/09
 tags:
     - attack.execution
     - attack.privilege_escalation
@@ -35,7 +36,9 @@ detection:
             - '\Windows\WindowsUpdate\'
             - '\Windows\UpdateOrchestrator\'
             - '\Windows\ExploitGuard'
-    condition: selection
+    filter:
+        SubjectUserName|endswith: '$'  # False positives during upgrades of Defender, where its tasks get removed and added
+    condition: selection and not filter
 falsepositives:
     - Unknown
 level: high