From d0ba03230a6b1beb9f7f8fa38068caad6b24517e Mon Sep 17 00:00:00 2001
From: Justin Ibarra <brokensound77@users.noreply.github.com>
Date: Mon, 30 Nov 2020 18:22:27 +0100
Subject: [PATCH] [Rule Tuning] Unusual File Modification by dns.exe (#472)

---
 rules/windows/execution_unusual_dns_service_file_writes.toml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/execution_unusual_dns_service_file_writes.toml b/rules/windows/execution_unusual_dns_service_file_writes.toml
index 863ffb845..4079386c6 100644
--- a/rules/windows/execution_unusual_dns_service_file_writes.toml
+++ b/rules/windows/execution_unusual_dns_service_file_writes.toml
@@ -29,7 +29,8 @@ tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
 type = "query"
 
 query = '''
-event.category:file and process.name:dns.exe and
+event.category:file and process.name:dns.exe and 
+  event.type:(creation or deletion or change) and
   not file.name:dns.log
 '''