From 255c53cff0026b0bce51fba3ce21aa236949f5cd Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Thu, 20 Apr 2023 18:26:00 -0300
Subject: [PATCH] [Rule Tuning] Connection to Commonly Abused Web Services
 (#2728)

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
---
 rules/windows/command_and_control_common_webservices.toml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml
index ba3781f1a..531990103 100644
--- a/rules/windows/command_and_control_common_webservices.toml
+++ b/rules/windows/command_and_control_common_webservices.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/04/17"
+updated_date = "2023/04/20"
 
 [transform]
 [[transform.osquery]]
@@ -157,12 +157,12 @@ network where host.os.type == "windows" and network.protocol == "dns" and
     
       /* Discord App */
       (process.name : "Discord.exe" and (process.code_signature.subject_name : "Discord Inc." and
-       process.code_signature.trusted == true) and not dns.question.name : ("discord.com", "cdn.discordapp.com", "discordapp.com")
+       process.code_signature.trusted == true) and dns.question.name : ("discord.com", "cdn.discordapp.com", "discordapp.com")
       ) or 
 
       /* MS Sharepoint */
       (process.name : "Microsoft.SharePoint.exe" and (process.code_signature.subject_name : "Microsoft Corporation" and
-       process.code_signature.trusted == true) and not dns.question.name : "onedrive.live.com"
+       process.code_signature.trusted == true) and dns.question.name : "onedrive.live.com"
       ) or 
 
       /* Firefox */