[Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition

Author: w0rk3r

rules/windows/defense_evasion_posh_obfuscation_backtick.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -106,6 +106,10 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_tmp,
     powershell.file.script_block_text,
     powershell.file.script_block_id,
+    powershell.file.script_block_entropy_bits,
+    powershell.file.script_block_surprisal_stdev,
+    powershell.file.script_block_length,
+    powershell.file.script_block_unique_symbols,
     file.name,
     file.directory,
     file.path,

rules/windows/defense_evasion_posh_obfuscation_backtick_var.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -105,6 +105,10 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_tmp,
     powershell.file.script_block_text,
     powershell.file.script_block_id,
+    powershell.file.script_block_entropy_bits,
+    powershell.file.script_block_surprisal_stdev,
+    powershell.file.script_block_length,
+    powershell.file.script_block_unique_symbols,
     file.path,
     file.name,
     powershell.sequence,

rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -107,6 +107,10 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_tmp,
     powershell.file.script_block_text,
     powershell.file.script_block_id,
+    powershell.file.script_block_entropy_bits,
+    powershell.file.script_block_surprisal_stdev,
+    powershell.file.script_block_length,
+    powershell.file.script_block_unique_symbols,
     file.path,
     powershell.sequence,
     powershell.total,

rules/windows/defense_evasion_posh_obfuscation_concat_dynamic.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -103,6 +103,10 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_tmp,
     powershell.file.script_block_text,
     powershell.file.script_block_id,
+    powershell.file.script_block_entropy_bits,
+    powershell.file.script_block_surprisal_stdev,
+    powershell.file.script_block_length,
+    powershell.file.script_block_unique_symbols,
     file.path,
     powershell.sequence,
     powershell.total,

rules/windows/defense_evasion_posh_obfuscation_high_number_proportion.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -108,6 +108,10 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_tmp,
     powershell.file.script_block_text,
     powershell.file.script_block_id,
+    powershell.file.script_block_entropy_bits,
+    powershell.file.script_block_surprisal_stdev,
+    powershell.file.script_block_length,
+    powershell.file.script_block_unique_symbols,
     file.directory,
     file.path,
     powershell.sequence,

rules/windows/defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -108,6 +108,10 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_tmp,
     powershell.file.script_block_text,
     powershell.file.script_block_id,
+    powershell.file.script_block_entropy_bits,
+    powershell.file.script_block_surprisal_stdev,
+    powershell.file.script_block_length,
+    powershell.file.script_block_unique_symbols,
     file.path,
     powershell.sequence,
     powershell.total,

rules/windows/defense_evasion_posh_obfuscation_iex_string_reconstruction.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -109,6 +109,10 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_tmp,
     powershell.file.script_block_text,
     powershell.file.script_block_id,
+    powershell.file.script_block_entropy_bits,
+    powershell.file.script_block_surprisal_stdev,
+    powershell.file.script_block_length,
+    powershell.file.script_block_unique_symbols,
     file.path,
     file.directory,
     powershell.sequence,

rules/windows/defense_evasion_posh_obfuscation_index_reversal.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -110,6 +110,10 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_tmp,
     powershell.file.script_block_text,
     powershell.file.script_block_id,
+    powershell.file.script_block_entropy_bits,
+    powershell.file.script_block_surprisal_stdev,
+    powershell.file.script_block_length,
+    powershell.file.script_block_unique_symbols,
     file.path,
     powershell.sequence,
     powershell.total,

rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -106,6 +106,10 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_tmp,
     powershell.file.script_block_text,
     powershell.file.script_block_id,
+    powershell.file.script_block_entropy_bits,
+    powershell.file.script_block_surprisal_stdev,
+    powershell.file.script_block_length,
+    powershell.file.script_block_unique_symbols,
     file.path,
     powershell.sequence,
     powershell.total,

rules/windows/defense_evasion_posh_obfuscation_string_concat.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"
 
 [rule]
 author = ["Elastic"]
@@ -108,6 +108,10 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
     Esql.script_block_tmp,
     powershell.file.script_block_text,
     powershell.file.script_block_id,
+    powershell.file.script_block_entropy_bits,
+    powershell.file.script_block_surprisal_stdev,
+    powershell.file.script_block_length,
+    powershell.file.script_block_unique_symbols,
     file.path,
     powershell.sequence,
     powershell.total,