From d2a35edae9c4d44ac2c9f53b5fa1a0e23923edd3 Mon Sep 17 00:00:00 2001
From: Max Altgelt <max.altgelt@nextron-systems.com>
Date: Mon, 16 Aug 2021 08:42:17 +0200
Subject: [PATCH] fix: Remove powershell_alternate_hosts from PR

Remove a rule using Host Application (which may or may not exist,
based on the log parser) from the PR. A future PR will clean up
rules using Host Application.
---
 .../powershell/powershell_alternate_powershell_hosts.yml     | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
index 8eec258c9..dcf6fb163 100644
--- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
+++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml
@@ -19,7 +19,10 @@ falsepositives:
 level: medium   
 detection:
     filter:
-        ContextInfo: 'powershell.exe'
+        - ContextInfo: 'powershell.exe'
+        - Message: 'powershell.exe'
+        # Both fields contain key=value pairs where the key HostApplication is relevant but
+        # can't be referred directly as event field.
     condition: selection and not filter
  
 ---