use ps.uuid field for connecting the events

A-new · Mar 31, 2023 · ae9939d · ae9939d
1 parent ba64664
commit ae9939d
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/rules/defense_evasion_system_binary_proxy_execution.yml b/rules/defense_evasion_system_binary_proxy_execution.yml
@@ -36,8 +36,8 @@
                 '*-sta*',
                 '*RunHTMLApplication*',
               )
-          | by ps.child.pid
-          |spawn_process| by ps.pid
+          | by ps.child.uuid
+          |spawn_process| by ps.uuid
       action: >
         {{
             emit . "System Binary Proxy Execution via Rundll32" ""