From 8ddf8a838ed136258f1325081a10be10eac54c73 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 8 Dec 2025 12:15:40 +0000
Subject: [PATCH] Update defense_evasion_masquerading_as_svchost.toml (#5416)

---
 .../defense_evasion_masquerading_as_svchost.toml      | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml
index 248a51b9a..43216ade5 100644
--- a/rules/windows/defense_evasion_masquerading_as_svchost.toml
+++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2025/11/12"
-integration = ["windows"]
+integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2025/11/12"
+updated_date = "2025/12/05"
 min_stack_version = "9.1.0"
 min_stack_comments = "The esql match operator was introduced in version 9.1.0"
 
@@ -60,13 +60,16 @@ tags = [
     "OS: Windows",
     "Use Case: Threat Detection",
     "Tactic: Defense Evasion",
-    "Resources: Investigation Guide"
+    "Resources: Investigation Guide", 
+    "Data Source: Elastic Defend",
+    "Data Source: Windows Security Event Logs",
+    "Data Source: Sysmon"
 ]
 timestamp_override = "event.ingested"
 type = "esql"
 
 query = '''
-FROM logs-* metadata _id, _version, _index
+FROM logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-* metadata _id, _version, _index
 | where event.category == "process" and event.type == "start" and
   match(process.name, "svchost.exe", { "fuzziness": 1, "max_expansions": 10 }) and
   not process.executable in ("C:\\Windows\\SysWOW64\\svchost.exe", "C:\\Windows\\System32\\svchost.exe") and