From cec7f2fdc8a58c99f82d0d04d041435cee25d467 Mon Sep 17 00:00:00 2001
From: Chiheb Chebbi <chiheb-chebbi@outlook.fr>
Date: Tue, 18 May 2021 05:28:37 +0100
Subject: [PATCH] Update SignedBinaryProxyExecutionRundll32.yaml

---
 .../SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml b/Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml
index a147f000b4..ad6740bc56 100644
--- a/Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml	
+++ b/Hunting Queries/SecurityEvent/SignedBinaryProxyExecutionRundll32.yaml	
@@ -21,7 +21,7 @@ query: |
   | extend EventData = parse_xml(EventData).DataItem.EventData.Data
   | mv-expand bagexpansion=array EventData
   | evaluate bag_unpack(EventData)
-  | extend Key=tostring(['@Name']), Value=['#text']
+  | extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
   | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
   | extend RuleName = column_ifexists("RuleName", ""), TechniqueId = column_ifexists("TechniqueId", ""),  TechniqueName = column_ifexists("TechniqueName", "")
   | parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName