What Changed
The requiredDataConnectors block in the SilkTyphoonNewUMServiceChildProcess rule contained two entries for connectorId: WindowsSecurityEvents – one correct (dataTypes: SecurityEvent) and one duplicate with a typo (dataTypes: SecurityEvents, plural). The duplicate entry has been removed.
Detection logic (KQL), entity mappings, and MITRE technique references are unchanged.
Security Impact
This is a metadata correctness fix. The erroneous SecurityEvents (plural) data type reference does not match any valid Sentinel table name and could cause rule import failures or connector dependency mismatches in some deployment tooling. Environments that deploy rules programmatically (e.g., via ARM templates or Terraform) may have encountered validation warnings. Detection coverage is restored to the expected single mapping.
Affected Files
Detections/SecurityEvent/SilkTyphoonNewUMServiceChildProcess.yaml