[BUG] Noisy Filter in Windows Registry Delete Task SD

[thegreatmhn]

in this scenario the default filter is :
| tstats security_content_summariesonly count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path IN ("\Schedule\TaskCache\Tree\") Registry.user="SYSTEM" Registry.registry_value_name="SD" (Registry.action=Deleted OR Registry.action=modified) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product
| drop_dm_object_name(Registry)
| security_content_ctime(firstTime)
| security_content_ctime(lastTime)
| windows_registry_delete_task_sd_filter

the Registry.action filter "modify" is very noisy and the rule will fire with each scheduled task creation when we create a new scheduled task the value of this three reg paths will modify as follow
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TEST1\Index
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TEST1\Id
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TEST1\SD
so please remove the Registry.action=modified from the rule
the picture below show the sysmon event log after creating a scheduled task called test1

[nasbench]

Will investigate