Update network_connection_discovery_with_arp.yml

nasbench · nasbench · commit 7f6959ec6aee · 2026-04-09T12:17:15.000+02:00
diff --git a/detections/endpoint/network_connection_discovery_with_arp.yml b/detections/endpoint/network_connection_discovery_with_arp.yml
@@ -12,8 +12,17 @@ data_source:
     - Windows Event Log Security 4688
     - CrowdStrike ProcessRollup2
 search: |-
-    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE
-    Processes.process_name="arp.exe"
+    | tstats `security_content_summariesonly`
+      count min(_time) as firstTime
+            max(_time) as lastTime
+
+    FROM datamodel=Endpoint.Processes WHERE
+
+    (
+        Processes.process_name="arp.exe"
+        OR
+        Processes.process_original_file_name="arp.exe"
+    )
     Processes.process IN (
         "* -a*",
         "* -g *",
