0xC0FFEEEE
diff --git a/‎.gitignore
Lines changed: 1 addition & 0 deletions b/‎.gitignore
Lines changed: 1 addition & 0 deletions
diff --git a/‎baselines/previously_seen_running_windows_services___update.yml
Lines changed: 1 addition & 1 deletion b/‎baselines/previously_seen_running_windows_services___update.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎bin/docker_detection_tester/README.md
Lines changed: 0 additions & 97 deletions b/‎bin/docker_detection_tester/README.md
Lines changed: 0 additions & 97 deletions
diff --git a/‎bin/docker_detection_tester/ansible/attack_replay.yml
Lines changed: 0 additions & 6 deletions b/‎bin/docker_detection_tester/ansible/attack_replay.yml
Lines changed: 0 additions & 6 deletions
diff --git a/‎bin/docker_detection_tester/ansible/roles/attack_replay/tasks/main.yml
Lines changed: 0 additions & 23 deletions b/‎bin/docker_detection_tester/ansible/roles/attack_replay/tasks/main.yml
Lines changed: 0 additions & 23 deletions
diff --git a/‎bin/docker_detection_tester/ansible/roles/update_escu/tasks/main.yml
Lines changed: 0 additions & 32 deletions b/‎bin/docker_detection_tester/ansible/roles/update_escu/tasks/main.yml
Lines changed: 0 additions & 32 deletions
diff --git a/‎bin/docker_detection_tester/ansible/update_escu.yml
Lines changed: 0 additions & 4 deletions b/‎bin/docker_detection_tester/ansible/update_escu.yml
Lines changed: 0 additions & 4 deletions
diff --git a/‎bin/docker_detection_tester/authorize.conf.tar
-2 KB b/‎bin/docker_detection_tester/authorize.conf.tar
-2 KB
diff --git a/‎bin/docker_detection_tester/datamodels.conf.tar
-11.5 KB b/‎bin/docker_detection_tester/datamodels.conf.tar
-11.5 KB
@@ -1,5 +1,6 @@
 # Ignore example files from contentctl tool
 apps/
+dist/
 test_results/
 detections/*/.yml.example
 stories/*.yml.example
 
@@ -13,7 +13,7 @@ search: '`wineventlog_system` EventCode=7036 | rex field=Message "The (?<service
   service entered the (?<state>\w+) state" | where state="running" | stats earliest(_time)
   as firstTimeSeen, latest(_time) as lastTimeSeen by service | inputlookup previously_seen_running_windows_services
   append=t | stats min(firstTimeSeen) as firstTimeSeen, max(lastTimeSeen) as lastTimeSeen
-  by service | where lastTimeSeen > relative_time(now(), "`previously_seen_windows_service_forget_window`")
+  by service | where lastTimeSeen > relative_time(now(), `previously_seen_windows_services_forget_window`)
   | outputlookup previously_seen_running_windows_services'
 how_to_implement: While this search does not require you to adhere to Splunk CIM,
   you must be ingesting your Windows security-event logs for it to execute successfully.