[Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition (#5391)

w0rk3r · tradebot-elastic · commit d46907d33a02 · 2025-12-05T12:18:38.000Z
* [Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition * Update defense_evasion_posh_obfuscation_proportion_special_chars.toml * ++, powershell.file.* * ++ --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit b8aedcd)
diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -104,8 +104,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.name,
     file.directory,
     file.path,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml b/rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -103,8 +103,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     file.name,
     powershell.sequence,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -105,8 +105,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml b/rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -101,8 +101,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -106,8 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_ratio,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.directory,
     file.path,
     powershell.sequence,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -106,8 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml b/rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -107,8 +107,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     file.directory,
     powershell.sequence,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml b/rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -108,8 +108,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -104,8 +104,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
     Esql.script_block_pattern_count,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml b/rules/windows/defense_evasion_posh_obfuscation_string_concat.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -106,8 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_string_format.toml b/rules/windows/defense_evasion_posh_obfuscation_string_format.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/03"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -105,8 +105,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_pattern_count,
     Esql.script_block_length,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     file.directory,
     powershell.sequence,
diff --git a/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml b/rules/windows/defense_evasion_posh_obfuscation_whitespace_special_proportion.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -113,8 +113,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_length,
     Esql.script_block_ratio,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
     powershell.sequence,
     powershell.total,
diff --git a/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml b/rules_building_block/defense_evasion_posh_obfuscation_proportion_special_chars.toml
@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -73,9 +73,9 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_length,
     Esql.script_block_ratio,
     Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
     file.path,
+    file.directory,
     powershell.sequence,
     powershell.total,
     _id,
@@ -86,6 +86,11 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 
 // Filter for scripts with high special character ratio
 | where Esql.script_block_ratio > 0.30
+
+// Exclude Noisy Patterns
+| where not file.directory like "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"
+  // ESQL requires this condition, otherwise it only returns matches where file.directory exists.
+  or file.directory IS NULL
 '''
 
 
