[Rule Tuning] Connection to Commonly Abused Web Services

[girtsLv]

Link to Rule

https://github.com/elastic/detection-rules/blob/9dfc42aa1d62c1cf2d2fa51f8c0c4753554078fb/rules/windows/command_and_control_common_webservices.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

False positive on python executable (uv.exe) accessing the following web resource: files.pythonhosted.org

Info
- process.executable C:\Users\*\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.13_qbz5n2kfra8p0\LocalCache\local-packages\Python313\Scripts\uv.exe
- dns.question.name: files.pythonhosted.org

Example Data

n/a

[w0rk3r]

Hey @girtsLv, as this one is unsigned and most of the paths for the executable are custom from what we can see in the telemetry, this may be best excluded locally.