dstaulcu
commented
1 year ago those particular savedsearches are derived from eventcode 8 (create remote thread) and not eventcode 1 (process create).
It does seem conspicuous that no whitelist strategy is applied. I imagine the more applicable whitelist to apply would be "remote_thread_whitelist" rather than "process_create_whitelist"
Is there any reason for the "[[T1055] Process Injection]" and "[[T1055] Process Injection - CobaltStrike]" saved searches to not have the "|
process_create_whitelist" in it and abide by the whitelist?