[BUG] Suspicious Process File Path wrong field reference
DipsyTipsy opened this issue · comments
Describe the bug
The correlation search Suspicious Process File Path is currently referring to a field that is not a part of the Endpoint datamodel, both in the SPL and the risk message.
The field Processes.process_path.file_path
is not a part of the Endpoint.Processes spec, I assume Processes.process_path
is the field the detection should utilize.
Expected behavior
The correct field should be used in order for the detection to function, and the risk message to display properly.
App Version:
- ESCU: [e.g. 3.51.0]
Additional context
Add any other context about the problem here.
thanks @DipsyTipsy here is the PR for that fix. #2551