- Notifications
You must be signed in to change notification settings - Fork 603
Closed
Labels
Rule: Tuningtweaking or tuning an existing ruletweaking or tuning an existing ruleTeam: TRADEcommunity
Description
Link to Rule
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
WinMerge is detected as using ADS: <file>:sec.endpointdlp:$DATA
.
As it's signed, it might be worth excluding it from the rule.
process.code_signature.exists true
process.code_signature.status trusted
process.code_signature.subject_name Takashi Sawanaka
process.code_signature.trusted true
process.executable C:\Program Files\WinMerge\WinMergeU.exe
Example Data
No response
Metadata
Metadata
Assignees
Labels
Rule: Tuningtweaking or tuning an existing ruletweaking or tuning an existing ruleTeam: TRADEcommunity