Conversation
Rule: Tuning - GuidelinesThese guidelines serve as a reminder set of considerations when tuning an existing rule. Documentation and Context
Rule Metadata Checks
Testing and Validation
|
|
⛔️ Test failed Results
|
There was a problem hiding this comment.
Pull request overview
This PR tunes multiple Windows detection rules to reduce false positives and correct minor issues, aligned to the linked tuning issues (#6228, #6016).
Changes:
- Adjusted EQL logic in PPID spoofing and unusual parent/child relationship rules to suppress additional benign patterns.
- Expanded allowlists in the Kerberos correlation rule and added a new benign driver hash exclusion.
- Fixed a typo in the ScreenConnect child-process rule (bitsadmin).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| rules/windows/privilege_escalation_via_ppid_spoofing.toml | Adds new allowlist logic for accessibility utilities and extends a Netwrix-related exclusion. |
| rules/windows/privilege_escalation_unusual_parentchild_relationship.toml | Adds new false-positive suppressions (WER rundll32 pattern, 4688 SID-like parent name). |
| rules/windows/lateral_movement_credential_access_kerberos_correlation.toml | Adds additional benign process paths to the Kerberos correlation allowlist. |
| rules/windows/defense_evasion_untrusted_driver_loaded.toml | Adds a new SHA256 exception (test-signed driver) and adjusts comment placement. |
| rules/windows/command_and_control_screenconnect_childproc.toml | Fixes bitsadmin.exe typo in the suspicious child process list. |
|
⛔️ Test failed Results
|
| (process.name : "msiexec.exe" and process.args : ("/i", "-i") and | ||
| process.args : ("/q", "/quiet", "/qn", "-q", "-quiet", "-qn", "-Q+")) or | ||
| process.name : ("mshta.exe", "certutil.exe", "bistadmin.exe", "certreq.exe", "wscript.exe", "cscript.exe", "curl.exe", | ||
| process.name : ("mshta.exe", "certutil.exe", "bitsadmin.exe", "certreq.exe", "wscript.exe", "cscript.exe", "curl.exe", |
There was a problem hiding this comment.
any noisy FPs worth excluding for this rule?
There was a problem hiding this comment.
I see a high volume for C:\WINDOWS\SystemTemp\ScreenConnect\<version>\<random>run.cmd, but I need to validate whether this is for updates only or for script execution. Will do that as part of https://github.com/elastic/ia-trade-team/issues/984
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
Issues
Resolves #6228
Resolves #6016
Summary
Excludes FP Patterns, fix a typo.