From d528af6bdb02b69cd04de321afb788bf6053b294 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Thu, 7 Dec 2023 16:38:08 +0100
Subject: [PATCH] [Rule Tuning] UEBA new_terms process_executable (#3268)

* [Rule Tuning] UEBA new_terms process_executable

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 1647a16fabd1e285e546edff3982d48038876af0)
---
 ...ery_signal_unusual_discovery_signal_proc_executable.toml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
index f42418688..6da4d484d 100644
--- a/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
+++ b/rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
@@ -3,13 +3,13 @@ creation_date = "2023/09/22"
 maturity = "production"
 min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
 min_stack_version = "8.6.0"
-updated_date = "2023/09/22"
+updated_date = "2023/11/13"
 
 [rule]
 author = ["Elastic"]
 description = """
-This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique
-host.id, user.id and process.executable entries.
+This rule leverages Discovery building block rule alert data to alert on signals with unusual unique host.id, user.id
+and process.executable entries.
 """
 from = "now-9m"
 index = [".alerts-security.*"]