Update PowershellMonitoring.yaml ScriptIgnorePath behavior (#735)

Looks good @SBattaglia-R7 - thank you!
Velocidex · Nov 17, 2023 · cf2f471 · cf2f471
1 parent 2061595
commit cf2f471
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/content/exchange/artifacts/PowershellMonitoring.yaml b/content/exchange/artifacts/PowershellMonitoring.yaml
@@ -132,7 +132,8 @@ sources:
                 AND NOT if(condition=Ignore, then= Payload=~Ignore, else= False)
                 AND NOT if(condition=IgnorePaths,
                     then= EventData.Path =~ ScriptIgnorePath 
-                        OR EventData.ContextInfo.CommandPath =~ ScriptIgnorePath,
+                        OR EventData.ContextInfo.CommandPath =~ ScriptIgnorePath
+                        OR EventData.ContextInfo.ScriptName =~ ScriptIgnorePath,
                             else= False)
             LIMIT 1 -- limts to 1 row per IocCsv entry.
         })