spl update

detections/endpoint/clop_common_exec_parameter.yml

@@ -1,7 +1,7 @@
 name: Clop Common Exec Parameter
 id: 5a8a2a72-8322-11eb-9ee9-acde48001122
-version: 1
-date: '2021-03-17'
+version: 2
+date: '2023-03-17'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -14,12 +14,10 @@ description: The following analytics are designed to identifies some CLOP ransom
   since it is waiting for some parameter to execute properly.
 data_source:
 - Sysmon Event ID 1
-search: '| tstats `security_content_summariesonly` values(Processes.process) as cmdline
-  values(Processes.parent_process_name) as parent_process values(Processes.process_name)
-  count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
-  where Processes.process_name != "*temp.dat*" Processes.process = "*runrun*" OR Processes.process
-  = "*temp.dat*" by Processes.dest Processes.user Processes.parent_process Processes.process_name
-  Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
+  where Processes.process_name != "*temp.dat*" Processes.process = "*runrun*" OR Processes.process = "*temp.dat*"
+  by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
+  | `drop_dm_object_name(Processes)`
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_common_exec_parameter_filter`'
 how_to_implement: To successfully implement this search you need to be ingesting information
   on process that include the name of the process responsible for the changes from