Schedule Report "[T1197] BITS Jobs - Process" Bug

[brianyaucy]

There is a typo in the saved search [T1197] BITS Jobs - Process: bitsamin.exe

To correct, in default/savedsearches.conf, find [[T1197] BITS Jobs - Process] action.email.useNSSubject = 1 action.summary_index = 1 action.summary_index._name = threathunting action.summary_index.mitre_category = Persistence,Defense_Evasion action.summary_index.mitre_technique = BITS Jobs action.summary_index.mitre_technique_id = T1197 alert.track = 0 cron_schedule = */15 * * * * dispatch.earliest_time = -15m@m dispatch.latest_time = now enableSched = 1 schedule_window = auto request.ui_dispatch_app = ThreatHunting request.ui_dispatch_view = search search =indextime((sysmonevent_id=1) OR (windows-securityevent_id=4688)) (process_name="bitsamin.exe" OR process_command_line="*Start-BitsTransfer*") \ | eval mitre_technique_id="T1197" \ | eval hash_sha256= lower(hash_sha256)\ |process_create_whitelist\ | eval indextime = _indextime | convert ctime(indextime) | table _time indextime event_description hash_sha256 host_fqdn user_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid

To correct, change bitsamin.exe to bitsadmin.exe in search.

[olafhartong]

thanks! this has been addressed in the next push