[Rule Tuning] Mark some field optional for 3rd party compatibility (#5135)

w0rk3r · tradebot-elastic · commit bbebf4eda2cc · 2025-09-22T12:46:47.000Z
* [Rule Tuning] Mark some field optional for 3rd party compatibility * bump (cherry picked from commit cd6c37e)
diff --git a/rules/windows/command_and_control_dns_susp_tld.toml b/rules/windows/command_and_control_dns_susp_tld.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/08/20"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/05"
+updated_date = "2025/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -79,7 +79,7 @@ network where host.os.type == "windows" and dns.question.name != null and
                   "java.exe", "javaw.exe", "*.pif", "*.com", "*.scr") or
   (?process.code_signature.trusted == false or ?process.code_signature.exists == false) or
   ?process.code_signature.subject_name : ("AutoIt Consulting Ltd", "OpenJS Foundation", "Python Software Foundation") or
-  process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe")
+  ?process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe")
  ) and
 dns.question.name regex """.*\.(top|buzz|xyz|rest|ml|cf|gq|ga|onion|monster|cyou|quest|cc|bar|cfd|click|cam|surf|tk|shop|club|icu|pw|ws|online|fun|life|boats|store|hair|skin|motorcycles|christmas|lol|makeup|mom|bond|beauty|biz|live|work|zip|country|accountant|date|party|science|loan|win|men|faith|review|racing|download|host)"""
 '''
diff --git a/rules/windows/defense_evasion_regmod_remotemonologue.toml b/rules/windows/defense_evasion_regmod_remotemonologue.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
 maturity = "production"
-updated_date = "2025/08/08"
+updated_date = "2025/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -111,7 +111,7 @@ registry where host.os.type == "windows" and event.action != "deletion" and
       "HKLM\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*",
       "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Office\\ClickToRun\\VREGISTRY_*"
     ) or
-    (process.executable : "C:\\windows\\System32\\msiexec.exe" and user.id : "S-1-5-18")
+    (process.executable : "C:\\windows\\System32\\msiexec.exe" and ?user.id : "S-1-5-18")
   )
 '''
 
diff --git a/rules/windows/execution_windows_powershell_susp_args.toml b/rules/windows/execution_windows_powershell_susp_args.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/01"
+updated_date = "2025/09/18"
 
 [rule]
 author = ["Elastic"]
@@ -85,7 +85,7 @@ process where host.os.type == "windows" and event.type == "start" and
  process.name : "powershell.exe" and
 
   not (
-    user.id == "S-1-5-18" and
+    ?user.id == "S-1-5-18" and
     /* Don't apply the user.id exclusion to Sysmon for compatibility */
     not event.dataset : ("windows.sysmon_operational", "windows.sysmon")
   ) and
