Update 600000-active_response.xml

2025-10-23 00:02:11 +00:00 · 2025-09-22 09:54:04 -05:00
parent b8b2c759f8
commit 8763616267
1 changed files with 7 additions and 1 deletions
--- a/Active_Response/600000-active_response.xml
+++ b/Active_Response/600000-active_response.xml
@@ -6,9 +6,15 @@
    <group>socfortress,</group>
    <options>no_full_log</options>
  </rule>
+  <rule id="600001" level="13">
+    <decoded_as>json</decoded_as>
+    <field name="copilot_action">true</field>
+    <description>Copilot-ACTION: Automation Event</description>
+    <options>no_full_log</options>
+  </rule>
 </group>
 <group name="sysmon_config,">
- <rule id="600001" level="3">
+ <rule id="600002" level="3">
    <decoded_as>json</decoded_as>
    <field name="group">^SysmonConfigReload$</field>
    <description>Sysmon config $(step).</description>