From 84dd8c39c46d0f667104228390ccc923aa6abe33 Mon Sep 17 00:00:00 2001
From: William Bruneau <william.bruneau@epfedu.fr>
Date: Tue, 5 May 2020 09:04:47 +0200
Subject: [PATCH] Move null values out from list in rules

---
 rules/windows/sysmon/sysmon_ads_executable.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/sysmon/sysmon_ads_executable.yml
index 7e111015c..dbb055ad0 100644
--- a/rules/windows/sysmon/sysmon_ads_executable.yml
+++ b/rules/windows/sysmon/sysmon_ads_executable.yml
@@ -17,11 +17,11 @@ logsource:
 detection:
     selection:
         EventID: 15
-    filter:
-        Imphash: 
-            - '00000000000000000000000000000000'
-            - null
-    condition: selection and not filter
+    filter1:
+        Imphash: '00000000000000000000000000000000'
+    filter2:
+        Imphash: null
+    condition: selection and not 1 of filter*
 fields:
     - TargetFilename
     - Image