From eafe54c2cc5ca5cf12ec12bcd6eb7bdc45d3e392 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Wed, 5 Apr 2023 13:28:57 -0300
Subject: [PATCH] [Rule Tuning] Potential LSASS Clone Creation via
 PssCaptureSnapShot (#2691)

---
 .../credential_access_via_snapshot_lsass_clone_creation.toml  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
index dfbe2d103..d9ca743f4 100644
--- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
+++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
@@ -4,7 +4,7 @@ integration = ["windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/02/22"
+updated_date = "2023/04/05"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the creation of an LSASS process clone via PssCaptureSnapShot where t
 process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.
 """
 from = "now-9m"
-index = ["winlogbeat-*", "logs-windows.*"]
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Potential LSASS Clone Creation via PssCaptureSnapShot"