[Rule Tuning] PowerShell Windows Defender ATP DataCollection Scripts

Author: w0rk3r

rules/windows/defense_evasion_posh_assembly_load.toml

@@ -169,6 +169,14 @@ value = """
 C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Monitoring Host Temporary
 Files*\\AvailabilityGroupMonitoring.ps1
 """
+
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."file.path"]
+case_insensitive = true
+value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"
+
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]

rules/windows/defense_evasion_posh_process_injection.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/10/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/07/02"
 
 [rule]
 author = ["Elastic"]
@@ -107,6 +107,14 @@ event.category:process and host.os.type:windows and
   )
 '''
 
+[[rule.filters]]
+
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."file.path"]
+case_insensitive = true
+value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"
+
 
 [[rule.threat]]
 framework = "MITRE ATT&CK"

rules_building_block/discovery_posh_generic.toml

@@ -204,6 +204,14 @@ negate = true
 [rule.filters.query.wildcard."file.path"]
 case_insensitive = true
 value = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*"
+
+[rule.filters.meta]
+negate = true
+[rule.filters.query.wildcard."file.path"]
+case_insensitive = true
+value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"
+
+
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]