From 45f804c43c0716ac24bccde906dad229a0a8950d Mon Sep 17 00:00:00 2001
From: Nic <nicpenning@hotmail.com>
Date: Sun, 1 Mar 2020 16:30:44 -0600
Subject: [PATCH] [SIEM] Detection Fix typo in Adobe Hijack Persistence rule
 (#58804)

Fixes https://github.com/elastic/kibana/issues/58803
---
 .../rules/prepackaged_rules/eql_adobe_hijack_persistence.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json
index 387726168cb10..8b8c510093260 100644
--- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json
+++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/eql_adobe_hijack_persistence.json
@@ -6,7 +6,7 @@
   "language": "kuery",
   "max_signals": 100,
   "name": "Adobe Hijack Persistence",
-  "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexeec.exe",
+  "query": "file.path:(\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" or \"C:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\") and event.action:\"File created (rule: FileCreate)\" and not process.name:msiexec.exe",
   "risk_score": 21,
   "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86",
   "severity": "low",
@@ -32,5 +32,5 @@
     }
   ],
   "type": "query",
-  "version": 1
+  "version": 2
 }