From bbb9fed3e643c8f74f956c368eacb66ff9d8d5ee Mon Sep 17 00:00:00 2001
From: Furkan CALISKAN <caliskanfurkan@gmail.com>
Date: Tue, 6 Oct 2020 19:51:55 +0300
Subject: [PATCH] Fixed for FP issues

---
 rules/windows/process_creation/win_susp_print.yml | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_print.yml b/rules/windows/process_creation/win_susp_print.yml
index 5459ccb4c..e1dd41b54 100644
--- a/rules/windows/process_creation/win_susp_print.yml
+++ b/rules/windows/process_creation/win_susp_print.yml
@@ -17,13 +17,18 @@ detection:
     selection1:
         Image|endswith:
             - \print.exe
-        CommandLine|contains|all:
-            - .exe
-            - \\
+        CommandLine|startswith:
+            - print
     selection2:
         CommandLine|contains:
             - /D
-    condition: selection1 and selection2
+    exeCondition:
+        CommandLine|contains:
+            - .exe
+    cmdExclude:
+        CommandLine|contains:
+            - print.exe
+    condition: selection1 and selection2 and exeCondition and not cmdExclude
 falsepositives:
-    - Legitimate printer actions from a fileshare for an exe file
+    - Unknown
 level: medium