[BUG] ESCU - Suspicious Curl Network Connection issue


### **Describe the bug**
This detection is filtering based on the condition `Processes.process=s3.amazonaws.com`. This will never generate an alert if the datamodel is configured correctly as specified [here](https://help.splunk.com/en/data-management/common-information-model/6.0/data-models/endpoint). If you look at the description for Processes.process you'll see that it's intended to contain the name of the calling process so this would always fail to catch the intended acitivity. Changing this to `Processes.process IN("*s3.amazonaws.com*") ` would resolve this issue.

### **Expected behavior**
An alert/risk score is generated when a URL containing "s3.amazonaws.com" is curled.


### **App Version:**
- Splunk Cloud
- Enterprise Security Version: 8.2.2
- Build: 198157



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[BUG] ESCU - Suspicious Curl Network Connection issue #3796

Describe the bug

Expected behavior

App Version:

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[BUG] ESCU - Suspicious Curl Network Connection issue #3796

Description

Describe the bug

Expected behavior

App Version:

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions