[Tuning] Top Noisy Rules

rules/cross-platform/impact_hosts_file_modified.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/07"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/11"
 
 [rule]
 author = ["Elastic"]
@@ -78,23 +78,37 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where
+any where process.executable != null and
 
   /* file events for creation; file change events are not captured by some of the included sources for linux and so may
      miss this, which is the purpose of the process + command line args logic below */
   (
-   event.category == "file" and event.type in ("change", "creation") and
+   event.category == "file" and event.type in ("change", "creation") and event.action != "rename" and
      file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") and 
-     not process.name in ("dockerd", "rootlesskit", "podman", "crio")
+     not process.name in ("dockerd", "rootlesskit", "podman", "crio") and
+     not process.executable : ("C:\\Program Files\\Fortinet\\FortiClient\\FCDBLog.exe",
+                               "C:\\Program Files\\Seqrite\\Seqrite\\SCANNER.EXE",
+                               "C:\\Windows\\Temp\\*.ins\\inst.exe",
+                               "C:\\Windows\\System32\\svchost.exe",
+                               "C:\\Program Files\\NordVPN\\nordvpn-service.exe",
+                               "C:\\Program Files\\Tailscale\\tailscaled.exe",
+                               "C:\\Program Files\\Docker\\Docker\\com.docker.service",
+                               "C:\\Program Files\\Quick Heal\\Quick Heal AntiVirus Pro\\scanner.exe",
+                               "C:\\Program Files (x86)\\Quick Heal AntiVirus Pro\\SCANNER.EXE",
+                               "C:\\Program Files\\Quick Heal\\Quick Heal Internet Security\\scanner.exe",
+                               "C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe",
+                               "/opt/IBM/InformationServer/Server/DSEngine/bin/uvsh",
+                               "/usr/local/demisto/server")
   )
   or
 
   /* process events for change targeting linux only */
   (
    event.category == "process" and event.type in ("start") and
      process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and
-     process.args : ("/etc/hosts") and 
-     not process.parent.name in ("dhclient-script", "google_set_hostname")
+     (process.args : ("/etc/hosts") or (process.working_directory == "/etc" and process.args == "hosts")) and 
+     not process.parent.name in ("dhclient-script", "google_set_hostname") and
+     not process.command_line == "sed -i /Added by Google/d /etc/hosts"
   )
 '''
 

rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/06"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/08/18"
+updated_date = "2025/12/12"
 
 [rule]
 author = ["Nick Jones", "Elastic"]
@@ -97,7 +97,7 @@ type = "new_terms"
 query = '''
 event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and
     event.action: (GetSecretValue or BatchGetSecretValue) and event.outcome:success and
-    not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera")
+    not user_agent.name: ("Chrome" or "Firefox" or "Safari" or "Edge" or "Brave" or "Opera" or "Boto3")
 '''
 
 [rule.investigation_fields]

rules/linux/execution_shell_evasion_linux_binary.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/05/06"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/12/11"
 
 [rule]
 author = ["Elastic"]
@@ -139,20 +139,18 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "linux" and event.type == "start" and
+process where host.os.type == "linux" and event.type == "start" and process.executable != null and
 (
   /* launching shell from capsh */
-  (process.name == "capsh" and process.args == "--") or
+  (process.name == "capsh" and process.args == "--" and not process.parent.executable == "/usr/bin/log4j-cve-2021-44228-hotpatch") or
 
   /* launching shells from unusual parents or parent+arg combos */
   (process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and (
     (process.parent.name : "*awk" and process.parent.args : "BEGIN {system(*)}") or
-    (process.parent.name == "git" and process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or
-     process.args : ("*PAGER*", "!*sh", "exec *sh") and not process.name == "ssh" ) or
+    (process.parent.name == "git" and process.parent.args : ("!*sh", "exec *sh") and not process.name == "ssh" ) or
     (process.parent.name : ("byebug", "ftp", "strace", "zip", "tar") and
     (
       process.parent.args : "BEGIN {system(*)}" or
-      (process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or process.args : ("*PAGER*", "!*sh", "exec *sh")) or
       (
         (process.parent.args : "exec=*sh" or (process.parent.args : "-I" and process.parent.args : "*sh")) or
         (process.args : "exec=*sh" or (process.args : "-I" and process.args : "*sh"))
@@ -182,7 +180,8 @@ process where host.os.type == "linux" and event.type == "start" and
   )) or
   (process.name == "busybox" and event.action == "exec" and process.args_count == 2 and process.args : "*sh" and not
    process.executable : "/var/lib/docker/overlay2/*/merged/bin/busybox" and not (process.parent.args == "init" and
-   process.parent.args == "runc") and not process.parent.args in ("ls-remote", "push", "fetch") and not process.parent.name == "mkinitramfs") or
+   process.parent.args == "runc") and not process.parent.args in ("ls-remote", "push", "fetch") and not process.parent.name == "mkinitramfs" and
+   not process.parent.executable == "/bin/busybox") or
   (process.name == "env" and process.args_count == 2 and process.args : "*sh") or
   (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args : ":!*sh") or
   (process.parent.name in ("c89", "c99", "gcc") and process.parent.args : "*sh,-s" and process.parent.args == "-wrapper") or

rules/windows/credential_access_bruteforce_admin_account.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/11/14"
+updated_date = "2025/12/11"
 
 [transform]
 [[transform.osquery]]
@@ -38,8 +38,7 @@ short time interval. Adversaries will often brute force login attempts across mu
 password, in an attempt to gain access to accounts.
 """
 from = "now-9m"
-index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
-language = "eql"
+language = "esql"
 license = "Elastic License v2"
 name = "Privileged Account Brute Force"
 note = """## Triage and analysis
@@ -103,16 +102,28 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Windows Security Event Logs",
 ]
-type = "eql"
+type = "esql"
 
 query = '''
-sequence by winlog.computer_name, source.ip with maxspan=10s
-  [authentication where host.os.type == "windows" and
-    event.action == "logon-failed" and winlog.logon.type : "Network" and
-    source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and user.name : "*admin*" and
-
-    /* noisy failure status codes often associated to authentication misconfiguration */
-    not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5
+from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index
+| where event.category == "authentication" and host.os.type == "windows" and event.action == "logon-failed" and
+  winlog.logon.type == "Network" and source.ip is not null and winlog.computer_name is not null and
+  not cidr_match(TO_IP(source.ip), "127.0.0.0/8", "::1") and
+  to_lower(winlog.event_data.TargetUserName) like "*admin*"  and
+  /*
+    noisy failure status codes often associated to authentication misconfiguration
+     0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.
+     0XC000005E - There are currently no logon servers available to service the logon request.
+     0XC0000133 - Clocks between DC and other computer too far out of sync.
+     0XC0000192 An attempt was made to logon, but the Netlogon service was not started.
+     0xc00000dc - DC is in shutdown phase, it will normally tell current clients to use another DC for authentication.
+  */
+  not winlog.event_data.Status in ("0xc000015b", "0xc000005e", "0xc0000133", "0xc0000192", "0xc00000dc")
+// truncate the timestamp to a 60-second window
+| eval Esql.time_window = date_trunc(60 seconds, @timestamp)
+| stats Esql.failed_auth_count = COUNT(*), Esql.target_user_name_values = VALUES(winlog.event_data.TargetUserName), Esql.user_domain_values = VALUES(user.domain), Esql.error_codes = VALUES(winlog.event_data.Status), Esql.data_stream_namespace.values = VALUES(data_stream.namespace) by winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type
+| where Esql.failed_auth_count >= 50
+| KEEP winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type, Esql.*
 '''
 
 

rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/11/14"
+updated_date = "2025/12/11"
 
 [transform]
 [[transform.osquery]]
@@ -38,8 +38,7 @@ Adversaries will often brute force login attempts across multiple users with a c
 to gain access to accounts.
 """
 from = "now-9m"
-index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
-language = "eql"
+language = "esql"
 license = "Elastic License v2"
 name = "Multiple Logon Failure from the same Source Address"
 note = """## Triage and analysis
@@ -117,24 +116,29 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Windows Security Event Logs",
 ]
-type = "eql"
+timestamp_override = "event.ingested"
+type = "esql"
 
 query = '''
-sequence by winlog.computer_name, source.ip with maxspan=10s
-  [authentication where host.os.type == "windows" and event.action == "logon-failed" and
-    /* event 4625 need to be logged */
-    winlog.logon.type : "Network" and
-    source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and
-    not user.name : ("ANONYMOUS LOGON", "-", "*$") and not user.domain == "NT AUTHORITY" and
-
-    /*
-    noisy failure status codes often associated to authentication misconfiguration :
+from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index
+| where event.category == "authentication" and host.os.type == "windows" and event.action == "logon-failed" and
+  winlog.logon.type == "Network" and source.ip is not null and winlog.computer_name is not null and
+  not cidr_match(TO_IP(source.ip), "127.0.0.0/8", "::1") and
+  not user.name in ("ANONYMOUS LOGON", "-") and not user.name like "*$" and user.domain != "NT AUTHORITY" and
+  /*
+    noisy failure status codes often associated to authentication misconfiguration
      0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.
-     0XC000005E	- There are currently no logon servers available to service the logon request.
-     0XC0000133	- Clocks between DC and other computer too far out of sync.
-     0XC0000192	An attempt was made to logon, but the Netlogon service was not started.
-    */
-    not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=10
+     0XC000005E - There are currently no logon servers available to service the logon request.
+     0XC0000133 - Clocks between DC and other computer too far out of sync.
+     0XC0000192 An attempt was made to logon, but the Netlogon service was not started.
+     0xc00000dc - DC is in shutdown phase, it will normally tell current clients to use another DC for authentication.
+  */
+  not winlog.event_data.Status in ("0xc000015b", "0xc000005e", "0xc0000133", "0xc0000192", "0xc00000dc")
+// truncate the timestamp to a 60-second window
+| eval Esql.time_window = date_trunc(60 seconds, @timestamp)
+| stats Esql.failed_auth_count = COUNT(*), Esql.target_user_name_values = VALUES(winlog.event_data.TargetUserName), Esql.user_domain_values = VALUES(user.domain), Esql.error_codes = VALUES(winlog.event_data.Status), Esql.data_stream_namespace.values = VALUES(data_stream.namespace) by winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type
+| where Esql.failed_auth_count >= 100
+| KEEP winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type, Esql.*
 '''
 
 

rules/windows/credential_access_dollar_account_relay.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/07/24"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/06/16"
+updated_date = "2025/12/11"
 
 [rule]
 author = ["Elastic"]
@@ -15,13 +15,13 @@ from = "now-9m"
 index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Potential Computer Account Relay Activity"
+name = "Potential Computer Account NTLM Relay Activity"
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Potential Computer Account Relay Activity
+### Investigating Potential Computer Account NTLM Relay Activity
 
 ### Possible investigation steps
 
@@ -58,9 +58,9 @@ references = [
     "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications",
     "https://attack.mitre.org/techniques/T1187/",
 ]
-risk_score = 21
+risk_score = 47
 rule_id = "263481c8-1e9b-492e-912d-d1760707f810"
-severity = "low"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
@@ -77,14 +77,16 @@ type = "eql"
 
 query = '''
 authentication where host.os.type == "windows" and event.code in ("4624", "4625") and
-    endswith~(user.name, "$") and winlog.logon.type : "network" and
+ winlog.logon.type == "Network" and winlog.event_data.AuthenticationPackageName == "NTLM" and
+ endswith~(user.name, "$") and user.name != "$" and
+ source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1" and
 
-    /* Filter for a machine account that matches the hostname */
-    startswith~(host.name, substring(user.name, 0, -1)) and
+ /* Filter for a machine account that matches the hostname */
+ startswith~(host.name, substring(user.name, 0, -1)) and
 
-    /* Verify if the Source IP belongs to the host */
-    not endswith(string(source.ip), string(host.ip)) and
-    source.ip != null and source.ip != "::1" and source.ip != "127.0.0.1"
+ /* Verify if the Source IP belongs to the host */
+ not endswith(string(source.ip), string(host.ip)) and
+ not stringContains(string(host.ip), string(source.ip))
 '''