Skip to content

Commit a15f120

Browse files
MikaayensonSamirbous
Mikaayenson
and
Samirbous
committed
Apply suggestions from code review
Co-authored-by: Samirbous <[email protected]>
1 parent 6849865 commit a15f120

File tree

2 files changed

+11
-7
lines changed

2 files changed

+11
-7
lines changed

rules/cross-platform/execution_genai_process_compiling_executables.toml

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[metadata]
22
creation_date = "2025/12/04"
3-
integration = ["endpoint"]
3+
integration = ["endpoint", "windows", "auditd_manager", "sentinel_one_cloud_funnel", "m365_defender"]
44
maturity = "production"
55
updated_date = "2025/12/04"
66

@@ -13,7 +13,7 @@ pyarmor) are particularly high-risk as they create standalone executables that c
1313
This rule focuses on compilation activity that produces output binaries, filtering out inspection-only operations.
1414
"""
1515
from = "now-9m"
16-
index = ["logs-endpoint.events.*"]
16+
index = ["logs-endpoint.events.process*"]
1717
language = "eql"
1818
license = "Elastic License v2"
1919
name = "GenAI Process Compiling or Generating Executables"
@@ -49,9 +49,9 @@ references = [
4949
"https://atlas.mitre.org/techniques/AML.T0053",
5050
"https://www.elastic.co/security-labs/elastic-advances-llm-security"
5151
]
52-
risk_score = 73
52+
risk_score = 47
5353
rule_id = "b2c3d4e5-f6a7-8901-bcde-f123456789ab"
54-
severity = "high"
54+
severity = "medium"
5555
tags = [
5656
"Domain: Endpoint",
5757
"OS: Linux",
@@ -60,15 +60,19 @@ tags = [
6060
"Use Case: Threat Detection",
6161
"Tactic: Execution",
6262
"Tactic: Defense Evasion",
63-
"Data Source: Elastic Defend",
63+
"Data Source: Elastic Defend",
64+
"Data Source: Sysmon",
65+
"Data Source: Auditd Manager",
66+
"Data Source: Microsoft Defender for Endpoint",
67+
"Data Source: SentinelOne",
6468
"Resources: Investigation Guide",
6569
"Domain: LLM",
6670
"Mitre Atlas: T0053",
6771
]
6872
timestamp_override = "event.ingested"
6973
type = "eql"
7074
query = '''
71-
process where event.type == "start" and event.action in ("exec", "executed", "process_started", "start", "ProcessRollup2") and
75+
process where event.type == "start" and event.type == "start" and
7276
7377
// GenAI parent process
7478
(

rules_building_block/execution_mcp_server_child_process.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[metadata]
22
creation_date = "2025/12/04"
3-
integration = ["endpoint"]
3+
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
44
maturity = "production"
55
updated_date = "2025/12/04"
66

0 commit comments

Comments
 (0)