socfortress / Wazuh-Rules

Advanced Wazuh Rules for more accurate threat detection. Feel free to implement within your own Wazuh environment, contribute, or fork!
https://www.socfortress.co
590 stars 169 forks source link

Update 900000-exclusion_rules.xml #11

Closed gnordli closed 1 year ago

gnordli commented 1 year ago

In Wazuh 4.4 92204 is for powershell creating executables, but 92213 is for any process to create an executable. Maybe it could be 92204,92213 to cover off both scenarios. Even level 8 may be high for this type of activity.