From a8c6f8f1e436d515858bdd9ae3edf85c2576b0eb Mon Sep 17 00:00:00 2001
From: patel-bhavin <bhavin.j.patel91@gmail.com>
Date: Mon, 7 Feb 2022 12:44:10 -0800
Subject: [PATCH] package

---
 .../srs/ssa___detect_dump_lsass_memory_using_comsvcs.yml | 9 +++++----
 dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml     | 4 ++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/dist/ssa/srs/ssa___detect_dump_lsass_memory_using_comsvcs.yml b/dist/ssa/srs/ssa___detect_dump_lsass_memory_using_comsvcs.yml
index 6a7f394b98..9150df75c7 100644
--- a/dist/ssa/srs/ssa___detect_dump_lsass_memory_using_comsvcs.yml
+++ b/dist/ssa/srs/ssa___detect_dump_lsass_memory_using_comsvcs.yml
@@ -24,10 +24,11 @@ search: '| from read_ssa_enriched_events() | eval tenant=ucast(map_get(input_eve
   "string", null), process_name=lower(ucast(map_get(input_event, "process_name"),
   "string", null)), timestamp=parse_long(ucast(map_get(input_event, "_time"), "string",
   null)), process=lower(ucast(map_get(input_event, "process"), "string", null)), event_id=ucast(map_get(input_event,
-  "event_id"), "string", null) | where process_name LIKE "%rundll32.exe%" AND match_regex(process,
-  /(?i)comsvcs.dll[,\s]+MiniDump/)=true | eval start_time = timestamp, end_time =
-  timestamp, entities = mvappend(machine), body=create_map(["event_id", event_id,
-  "process_name", process_name, "process", process]) | into write_ssa_detected_events();'
+  "event_id"), "string", null) | where process IS NOT NULL AND process_name IS NOT
+  NULL AND process_name LIKE "%rundll32.exe%" AND match_regex(process, /(?i)comsvcs.dll[,\s]+MiniDump/)=true
+  | eval start_time = timestamp, end_time = timestamp, entities = mvappend(machine),
+  body=create_map(["event_id", event_id, "process_name", process_name, "process",
+  process]) | into write_ssa_detected_events();'
 tags:
   analytic_story:
   - Credential Dumping
diff --git a/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml b/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml
index 1cfb04507b..e5242f4757 100644
--- a/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml
+++ b/dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml
@@ -27,9 +27,9 @@ search: '| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map
   "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string",
   null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string",
   null), event_id=ucast(map_get(input_event, "event_id"), "string", null) | where
-  cmd_line IS NOT NULL AND process_name IS NOT NULL AND process_name="wbadmin.exe"
+  (cmd_line IS NOT NULL AND process_name IS NOT NULL) AND (process_name="wbadmin.exe"
   AND like (cmd_line, "%delete%") OR like (cmd_line, "%catalog%") OR like (cmd_line,
-  "%systemstatebackup%") | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event,
+  "%systemstatebackup%")) | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event,
   "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"),
   "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name",
   process_name, "parent_process_name", parent_process_name, "process_path", process_path])