Merge pull request #3300 from splunk/5.0_fixes

Remove falcon data

Author: nasbench

detections/endpoint/suspicious_process_file_path.yml

@@ -22,7 +22,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*",
   "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*",  "\\Windows\\repair\\*",
   "*\\temp\\*" , "*\\PerfLogs\\*","*\\windows\\tasks\\*", "*:\\programdata\\*") by
-  Processes.parent_process_name Processes.parent_process Processes.process_path Processes.dest
+  Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_path Processes.dest
   Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection

detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml

@@ -65,8 +65,3 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog
-- name: True Positive Test - CrowdStrike
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.002/atomic_red_team/crowdstrike_falcon.log
-    source: crowdstrike
-    sourcetype: crowdstrike:events:sensor