From fa26f5f7f54906b1e705e60e1f6396cb7dcddefc Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Tue, 30 Nov 2021 14:21:38 +0000
Subject: [PATCH] simplifying format

---
 .../win_xsl_script_processing.yml             | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml
index bd2102923..de22303eb 100644
--- a/rules/windows/process_creation/win_xsl_script_processing.yml
+++ b/rules/windows/process_creation/win_xsl_script_processing.yml
@@ -16,15 +16,16 @@ detection:
       CommandLine|contains: '/format'     # wmic process list /FORMAT /?
     - Image|endswith: '\msxsl.exe'
   false_positives:
-    - CommandLine|contains: '/Format:List'
-    - CommandLine|contains: '/Format:htable'
-    - CommandLine|contains: '/Format:hform'
-    - CommandLine|contains: '/Format:table'
-    - CommandLine|contains: '/Format:mof'
-    - CommandLine|contains: '/Format:value'
-    - CommandLine|contains: '/Format:rawxml'
-    - CommandLine|contains: '/Format:xml'
-    - CommandLine|contains: '/Format:csv'
+    CommandLine|contains:
+      - '/Format:List'
+      - '/Format:htable'
+      - '/Format:hform'
+      - '/Format:table'
+      - '/Format:mof'
+      - '/Format:value'
+      - '/Format:rawxml'
+      - '/Format:xml'
+      - '/Format:csv'
   condition: selection and not false_positives
 falsepositives:
   - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.