From e73816bb224db05ab98dc35b71f47cf4302ded75 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sat, 20 Nov 2021 15:07:20 +0100
Subject: [PATCH] fix: too many false positives with in-memory detection rule

---
 .../process_access/sysmon_in_memory_assembly_execution.yml      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
index 7234add4d..0d45f61ba 100755
--- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
+++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml
@@ -54,6 +54,6 @@ fields:
     - SourceImage
     - TargetImage
     - CallTrace
-level: high
+level: medium # too many false positives
 falsepositives:
     - SysInternals Process Explorer