From 8763616267ba352ae846ad1ea8eeb41455a24b16 Mon Sep 17 00:00:00 2001
From: taylor_socfortress <111797488+taylorwalton@users.noreply.github.com>
Date: Mon, 22 Sep 2025 09:54:04 -0500
Subject: [PATCH] Update 600000-active_response.xml

---
 Active_Response/600000-active_response.xml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/Active_Response/600000-active_response.xml b/Active_Response/600000-active_response.xml
index e5d466e..42188e8 100644
--- a/Active_Response/600000-active_response.xml
+++ b/Active_Response/600000-active_response.xml
@@ -6,9 +6,15 @@
     <group>socfortress,</group>
     <options>no_full_log</options>
   </rule>
+  <rule id="600001" level="13">
+    <decoded_as>json</decoded_as>
+    <field name="copilot_action">true</field>
+    <description>Copilot-ACTION: Automation Event</description>
+    <options>no_full_log</options>
+  </rule>
 </group>
 <group name="sysmon_config,">
- <rule id="600001" level="3">
+ <rule id="600002" level="3">
     <decoded_as>json</decoded_as>
     <field name="group">^SysmonConfigReload$</field>
     <description>Sysmon config $(step).</description>