From 98c505caf2410e9e679b17e5ab358cd2967f3815 Mon Sep 17 00:00:00 2001
From: taylor_socfortress <111797488+taylorwalton@users.noreply.github.com>
Date: Sat, 9 Sep 2023 08:26:19 -0500
Subject: [PATCH] Update 900000-exclusion_rules.xml

---
 Exclusion Rules/900000-exclusion_rules.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Exclusion Rules/900000-exclusion_rules.xml b/Exclusion Rules/900000-exclusion_rules.xml
index 6d1cef5..fe2ba9e 100644
--- a/Exclusion Rules/900000-exclusion_rules.xml	
+++ b/Exclusion Rules/900000-exclusion_rules.xml	
@@ -449,4 +449,12 @@
     <description>Exclude LogonSessions Running Sigma Alert</description>
     <options>no_full_log</options>
   </rule>
+  <!-- Exclude LogonSessions Running Sigma Alert -->
+  <rule id="900065" level="1">
+    <if_sid>200051</if_sid>
+    <field name="name" type="pcre2">(?i)^Remote Thread Creation In Uncommon Target Image$</field>
+    <field name="event.SourceImage" type="pcre2">(?i)^C:\\Program Files\\socfortress\\sysinternals\\logonsessions64\.exe$</field>
+    <description>Exclude LogonSessions Running Sigma Aler</description>
+    <options>no_full_log</options>
+  </rule>
 </group>