From e37fc97c57fd5d21de02a0fedc23bed1eea9eb5e Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Mon, 6 Dec 2021 13:45:12 -0300
Subject: [PATCH] Limit index to logs-endpoint.events (#1647)

(cherry picked from commit f6a2437cf8021ed876c48ab37522b7d0d4fcf07a)
---
 .../defense_evasion_whitespace_padding_in_command_line.toml   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/defense_evasion_whitespace_padding_in_command_line.toml b/rules/windows/defense_evasion_whitespace_padding_in_command_line.toml
index 9855efce1..23fa3db3e 100644
--- a/rules/windows/defense_evasion_whitespace_padding_in_command_line.toml
+++ b/rules/windows/defense_evasion_whitespace_padding_in_command_line.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/07/30"
 maturity = "production"
-updated_date = "2021/07/30"
+updated_date = "2021/12/06"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ their malicious command with unnecessary whitespace characters. These observatio
 behavior.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
+index = ["logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Whitespace Padding in Process Command Line"