Update whitelist in transform

elastic · Mar 11, 2024 · f08b23c · f08b23c
1 parent e8ca6da
commit f08b23c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml b/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml
@@ -361,7 +361,7 @@ source:
       minimum_should_match: 1
       must_not:
         terms:
-          'process.name': ["Acrobat.exe", "AcroCEF.exe", "AcroCEF Helper", "AddressBookSourceSync", "Adobe_CCXProcess.node", "Adobe CEF Helper", "Adobe CEF Helper.exe", "AdobeCollabSync.exe", "Adobe Desktop Service", "Adobe Desktop Service.exe", "accountsd", "akd", "appstoreagent", "apsd", "atmgr.exe", "assistantd", "backgroundTaskHost.exe", "BackgroundTransferHost.exe", "Brave Browser Helper", "CalendarAgent", "Camtasia 2020", "CCXProcess", "chrome.exe", "cloudd", "Code.exe", "Code Helper", "Code Helper (Renderer)", "CompatTelRunner.exe", "com.apple.geod", "com.apple.ncplugin.stocks", "com.apple.Safari.SafeBrowsing.Service", "com.apple.WebKit.Networking", "com.docker.vpnkit", "commerce", "Core Sync", "CoreSync.exe", "default-browser-agent.exe", "DeliveryService.exe", "DeviceCensus.exe", "Docker", "Dropbox", "Dsapi.exe", "elastic-agent", "elastic-agent.exe", "elastic-endpoint", "esensor", "EXCEL.EXE", "explorer.exe", "familycircled", "filebeat", "filebeat.exe", "FileCoAuth.exe", "firefox", "firefox.exe", "GitHub Desktop Helper", "Google Chrome Helper", "google_osconfig_agent", "google_osconfig_agent.exe", "google_guest_agent", "GCEWindowsAgent.exe", "Google Drive", "GoogleDriveFS.exe", "GoogleUpdate.exe", "IMRemoteURLConnectionAgent", "jamf", "keybase", "ksfetch", "Lenovo.Modern.ImController.PluginHost.CompanionApp.exe", "LenovoVantageService.exe", "locationd", "mapspushd", "mcautoreg.exe", "metricbeat", "mdmclient", "Mail", "MMSSHOST.exe", "Microsoft Excel", "Microsoft.Management.Services.IntuneWindowsAgent.exe", "Microsoft OneNote", "Microsoft PowerPoint", "Microsoft Teams Helper", "Microsoft Teams Helper (Renderer)", "Microsoft Update Assistant", "Microsoft Word", "ModuleCoreService.exe", "msedge.exe", "node", "node.exe", "nsurlsessiond", "OfficeC2RClient.exe", "ONENOTE.EXE", "officesvcmgr.exe", "OfficeClickToRun.exe", "OneDrive.exe", "parsec-fbf", "parsecd", "pingsender.exe", "SDXHelper.exe", "SearchApp.exe", "ServiceLayer.exe", "Skype for Business", "Slack.exe", "Slack Helper", "snapd", "smartscreen.exe", "softwareupdated", "Spotify.exe", "Spotify Helper", "ssm-agent-worker.exe", "ssm-document-worker.exe", "syspolicyd", "SystemIdleCheck.exe", "taskhostw.exe", "Teams", "Teams.exe", "trustd", "updater", "WINWORD.EXE", "WhatsApp Helper", "xpcproxy", "Zoom.exe", "zoom.us", "ZoomPresence"]
+          'process.name': ["accountsd", "Acrobat.exe", "AcroCEF Helper", "AcroCEF.exe", "AddressBookSourceSync", "Adobe CEF Helper.exe", "Adobe CEF Helper", "Adobe Desktop Service.exe", "Adobe Desktop Service", "Adobe_CCXProcess.node", "AdobeCollabSync.exe", "akd", "appstoreagent", "apsd", "assistantd", "atmgr.exe", "backgroundTaskHost.exe", "BackgroundTransferHost.exe", "Brave Browser Helper", "CalendarAgent", "Camtasia 2020", "CCXProcess", "chrome.exe", "cloudd", "Code Helper (Renderer)", "Code Helper", "Code.exe", "com.apple.geod", "com.apple.ncplugin.stocks", "com.apple.Safari.SafeBrowsing.Service", "com.apple.WebKit.Networking", "com.docker.vpnkit", "commerce", "CompatTelRunner.exe", "Core Sync", "CoreSync.exe", "default-browser-agent.exe", "DeliveryService.exe", "DeviceCensus.exe", "Docker", "Dropbox", "Dsapi.exe", "elastic-agent.exe", "elastic-agent", "elastic-endpoint", "esensor", "EXCEL.EXE", "explorer.exe", "familycircled", "filebeat.exe", "filebeat", "FileCoAuth.exe", "firefox.exe", "firefox", "GCEWindowsAgent.exe", "GitHub Desktop Helper", "Google Chrome Helper", "Google Drive", "google_guest_agent", "google_osconfig_agent.exe", "google_osconfig_agent", "GoogleDriveFS.exe", "GoogleUpdate.exe", "HealthService.exe", "IMRemoteURLConnectionAgent", "jamf", "keybase", "ksfetch", "Lenovo.Modern.ImController.PluginHost.CompanionApp.exe", "LenovoVantageService.exe", "locationd", "lsass.exe", "Mail", "mapspushd", "mcautoreg.exe", "mdmclient", "metricbeat.exe", "metricbeat", "Microsoft Excel", "Microsoft OneNote", "Microsoft PowerPoint", "Microsoft Teams Helper (Renderer)", "Microsoft Teams Helper", "Microsoft Update Assistant", "Microsoft Word", "Microsoft.Management.Services.IntuneWindowsAgent.exe", "MMSSHOST.exe", "ModuleCoreService.exe", "msedge.exe", "msedgewebview2.exe", "node.exe", "node", "nsurlsessiond", "OfficeC2RClient.exe", "OfficeClickToRun.exe", "officesvcmgr.exe", "OneDrive.exe", "ONENOTE.EXE", "packetbeat.exe", "parsec-fbf", "parsecd", "pingsender.exe", "SDXHelper.exe", "SearchApp.exe", "ServiceLayer.exe", "Skype for Business", "Slack Helper", "Slack.exe", "smartscreen.exe", "snapd", "softwareupdated", "Spotify Helper", "Spotify.exe", "ssm-agent-worker.exe", "ssm-document-worker.exe", "svchost.exe", "syspolicyd", "SystemIdleCheck.exe", "taskhostw.exe", "Teams.exe", "Teams", "trustd", "updater", "WaAppAgent.exe", "WhatsApp Helper", "Widgets.exe", "WindowsAzureGuestAgent.exe", "WINWORD.EXE", "xpcproxy", "Zoom.exe", "zoom.us", "ZoomPresence"]
       should:
         - bool:
             filter: