[Rule Tuning] Windows - Small Adjusts for Compatibility (#5032)

w0rk3r · web-flow · commit 00c6e785cbe3 · 2025-08-28T10:20:13.000-07:00
diff --git a/rules/windows/command_and_control_tool_transfer_via_curl.toml b/rules/windows/command_and_control_tool_transfer_via_curl.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/02/03"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/27"
 
 [rule]
 author = ["Elastic"]
@@ -97,7 +97,7 @@ process where host.os.type == "windows" and event.type == "start" and
     "mshta.exe", "hh.exe", "mmc.exe"
   ) and 
   not (
-    user.id == "S-1-5-18" and
+    ?user.id == "S-1-5-18" and
     /* Don't apply the user.id exclusion to Sysmon for compatibility */
     not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
   ) and
diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml
@@ -2,7 +2,7 @@
 creation_date = "2022/01/31"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/08/13"
+updated_date = "2025/08/27"
 
 [rule]
 author = ["Elastic"]
@@ -90,13 +90,11 @@ registry where host.os.type == "windows" and event.type == "change" and
         "\\REGISTRY\\MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging",
         "MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging"
     ) and registry.data.strings : ("0", "0x00000000") and
-    not (
-        process.executable : (
+    not process.executable : (
           "?:\\Windows\\System32\\svchost.exe",
           "?:\\Windows\\System32\\DeviceEnroller.exe",
           "?:\\Windows\\system32\\omadmclient.exe",
           "?:\\Program Files (x86)\\N-able Technologies\\AutomationManagerAgent\\AutomationManager.AgentService.exe"
-        ) and user.id == "S-1-5-18"
     )
 '''
 
diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/10/01"
 integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/08/27"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ false_positives = [
     "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files.",
 ]
 from = "now-9m"
-index = ["logs-endpoint.events.file-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
+index = ["logs-endpoint.events.file-*", "logs-sentinel_one_cloud_funnel.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Third-party Backup Files Deleted via Unexpected Process"
@@ -60,22 +60,13 @@ This rule identifies file deletions performed by a process that does not belong
 references = ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"]
 risk_score = 47
 rule_id = "11ea6bec-ebde-4d71-a8e9-784948f8e3e9"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
     "Use Case: Threat Detection",
     "Tactic: Impact",
     "Resources: Investigation Guide",
-    "Data Source: Elastic Endgame",
     "Data Source: Elastic Defend",
     "Data Source: SentinelOne",
 ]
