title: Minimal Rule logsource: category: json product: air detection: selection: Processes: Name: csrss.exe Modules: DllPath|contains: csrss.dll condition: selection

title: Scan System Settings logsource: category: json product: air detection: selection: System: ComputerName: JohnPC condition: selection

title: Scan Autorun Entries logsource: category: json product: air detection: selection: AutorunsRegistry: CommandLine|contains: vm3dservice.exe condition: any of them

title: Scan Service Entries logsource: category: json product: air detection: cond1: AutorunsServices: KeyPath|contains: 1394ohci cond2: AutorunsServices: EntryName: ahcache condition: 2 of them

title: Scan Prefetch Entries logsource: category: json product: air detection: selection: Prefetch: FilePath|contains: - icacls.exe - psexec.exe - bitsadmin.exe condition: selection

title: Scan WMI Scripts logsource: category: json product: air detection: selection: WMICommandLine: Command|contains: powershell.exe condition: selection

title: Scan DNSCache Entries logsource: category: json product: air detection: selection: DnsCache: Name|endswith: binalyze.com condition: selection

title: Scan TCP Table Entries logsource: category: json product: air detection: selection: TcpTable: RemoteAddress: 40.90.23.154 condition: selection