Windows Rule Firing on Linux Endpoint

[Carlos-mb]

Version

2.4.150

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

5

RAM

32

Storage for /

200Gb

Storage for /nsm

300Gb

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

No, there are no additional clues

Detail

Hello

I'm seeing thousands of alerts for the Sigma rule "Execution Of Non-Existing File" (UUID: 71158e3f-df67-472b-930e-7d287acaa3e1).

According to its definition, this rule is intended for Windows systems:

logsource:
    category: process_creation
    product: windows

However, these alerts are being triggered by a Linux host that's running an Elastic Agent. Here are some fields from a typical alert:

event_data.host.os.name: Linux
rule.product:windows
event_data.process.executable: /usr/sbin/cron
event_data.process.command_line: /usr/sbin/cron -f
event_data.event.module: endpoint
event.module: sigma

As you can see, the alert correctly identifies the host OS as Linux, and the process (/usr/sbin/cron) is a standard, legitimate Linux process. Yet, the rule.product:windows indicates that the rule is intended for Windows environments, making this a clear false positive.

Are there any other recommended approaches or best practices for handling such discrepancies where a Windows-specific rule triggers incorrectly on Linux hosts?

Any help or insights would be greatly appreciated.

Thank you in advance,

Carlos.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[Carlos-mb]

I attach an image capture of the policy.