Detection logic improvement: Remove unnecessary join in Windows Office Product Dropped Cab or Inf File

[thegreatmhn]

While investigating the ESCU detection “Windows Office Product Dropped Cab or Inf File”, I noticed the SPL uses a join between Endpoint.Processes and Endpoint.Filesystem on process_guid.
This join is not required and introduces unnecessary performance overhead.

The same detection logic can be achieved more efficiently by filtering filesystem events using the Filesystem.image / process fields, which are already populated in the Endpoint datamodel.

Current Detection Logic (Issue)

• The detection currently performs:
• tstats on Endpoint.Processes
• A second tstats on Endpoint.Filesystem
• A join on process_guid

This approach:

• Increases search cost and execution time
• Risks partial results due to join behavior
• Is unnecessary because process context already exists in the Filesystem datamodel

Why the join is unnecessary

In the Endpoint.Filesystem datamodel, the following field is already available:
Filesystem.image

[nasbench]

Filesystem image is not yet available in TAs. Also there is an effort to remove these joins once the TAs are updated. Hence I will be closing this issue