[Tuning] Top Noisy Rules

rules/cross-platform/impact_hosts_file_modified.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/07/07"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/11"
 
 [rule]
 author = ["Elastic"]
@@ -78,14 +78,27 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-any where
+any where process.executable != null and
 
   /* file events for creation; file change events are not captured by some of the included sources for linux and so may
      miss this, which is the purpose of the process + command line args logic below */
   (
-   event.category == "file" and event.type in ("change", "creation") and
+   event.category == "file" and event.type in ("change", "creation") and event.action != "rename" and
      file.path : ("/private/etc/hosts", "/etc/hosts", "?:\\Windows\\System32\\drivers\\etc\\hosts") and 
-     not process.name in ("dockerd", "rootlesskit", "podman", "crio")
+     not process.name in ("dockerd", "rootlesskit", "podman", "crio") and
+     not process.executable : ("C:\\Program Files\\Fortinet\\FortiClient\\FCDBLog.exe",
+                               "C:\\Program Files\\Seqrite\\Seqrite\\SCANNER.EXE",
+                               "C:\\Windows\\Temp\\*.ins\\inst.exe",
+                               "C:\\Windows\\System32\\svchost.exe",
+                               "C:\\Program Files\\NordVPN\\nordvpn-service.exe",
+                               "C:\\Program Files\\Tailscale\\tailscaled.exe",
+                               "C:\\Program Files\\Docker\\Docker\\com.docker.service",
+                               "C:\\Program Files\\Quick Heal\\Quick Heal AntiVirus Pro\\scanner.exe",
+                               "C:\\Program Files (x86)\\Quick Heal AntiVirus Pro\\SCANNER.EXE",
+                               "C:\\Program Files\\Quick Heal\\Quick Heal Internet Security\\scanner.exe",
+                               "C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe",
+                               "/opt/IBM/InformationServer/Server/DSEngine/bin/uvsh",
+                               "/usr/local/demisto/server")
   )
   or
 
@@ -94,7 +107,8 @@ any where
    event.category == "process" and event.type in ("start") and
      process.name in ("nano", "vim", "vi", "emacs", "echo", "sed") and
      process.args : ("/etc/hosts") and 
-     not process.parent.name in ("dhclient-script", "google_set_hostname")
+     not process.parent.name in ("dhclient-script", "google_set_hostname") and
+     not process.command_line == "sed -i /Added by Google/d /etc/hosts"
   )
 '''
 

rules/linux/execution_shell_evasion_linux_binary.toml

@@ -2,7 +2,7 @@
 creation_date = "2022/05/06"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/12/11"
 
 [rule]
 author = ["Elastic"]
@@ -139,20 +139,18 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "linux" and event.type == "start" and
+process where host.os.type == "linux" and event.type == "start" and process.executable != null and
 (
   /* launching shell from capsh */
-  (process.name == "capsh" and process.args == "--") or
+  (process.name == "capsh" and process.args == "--" and not process.parent.executable == "/usr/bin/log4j-cve-2021-44228-hotpatch") or
 
   /* launching shells from unusual parents or parent+arg combos */
   (process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and (
     (process.parent.name : "*awk" and process.parent.args : "BEGIN {system(*)}") or
-    (process.parent.name == "git" and process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or
-     process.args : ("*PAGER*", "!*sh", "exec *sh") and not process.name == "ssh" ) or
+    (process.parent.name == "git" and process.parent.args : ("!*sh", "exec *sh") and not process.name == "ssh" ) or
     (process.parent.name : ("byebug", "ftp", "strace", "zip", "tar") and
     (
       process.parent.args : "BEGIN {system(*)}" or
-      (process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or process.args : ("*PAGER*", "!*sh", "exec *sh")) or
       (
         (process.parent.args : "exec=*sh" or (process.parent.args : "-I" and process.parent.args : "*sh")) or
         (process.args : "exec=*sh" or (process.args : "-I" and process.args : "*sh"))
@@ -182,7 +180,8 @@ process where host.os.type == "linux" and event.type == "start" and
   )) or
   (process.name == "busybox" and event.action == "exec" and process.args_count == 2 and process.args : "*sh" and not
    process.executable : "/var/lib/docker/overlay2/*/merged/bin/busybox" and not (process.parent.args == "init" and
-   process.parent.args == "runc") and not process.parent.args in ("ls-remote", "push", "fetch") and not process.parent.name == "mkinitramfs") or
+   process.parent.args == "runc") and not process.parent.args in ("ls-remote", "push", "fetch") and not process.parent.name == "mkinitramfs" and
+   not process.parent.executable == "/bin/busybox") or
   (process.name == "env" and process.args_count == 2 and process.args : "*sh") or
   (process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args : ":!*sh") or
   (process.parent.name in ("c89", "c99", "gcc") and process.parent.args : "*sh,-s" and process.parent.args == "-wrapper") or

rules/windows/credential_access_bruteforce_admin_account.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/11/14"
+updated_date = "2025/12/11"
 
 [transform]
 [[transform.osquery]]
@@ -38,8 +38,7 @@ short time interval. Adversaries will often brute force login attempts across mu
 password, in an attempt to gain access to accounts.
 """
 from = "now-9m"
-index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
-language = "eql"
+language = "esql"
 license = "Elastic License v2"
 name = "Privileged Account Brute Force"
 note = """## Triage and analysis
@@ -103,16 +102,28 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Windows Security Event Logs",
 ]
-type = "eql"
+type = "esql"
 
 query = '''
-sequence by winlog.computer_name, source.ip with maxspan=10s
-  [authentication where host.os.type == "windows" and
-    event.action == "logon-failed" and winlog.logon.type : "Network" and
-    source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and user.name : "*admin*" and
-
-    /* noisy failure status codes often associated to authentication misconfiguration */
-    not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5
+from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index
+| where event.category == "authentication" and host.os.type == "windows" and event.action == "logon-failed" and
+  winlog.logon.type == "Network" and source.ip is not null and winlog.computer_name is not null and
+  not cidr_match(TO_IP(source.ip), "127.0.0.0/8", "::1") and
+  to_lower(winlog.event_data.TargetUserName) like "*admin*"  and
+  /*
+    noisy failure status codes often associated to authentication misconfiguration
+     0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.
+     0XC000005E - There are currently no logon servers available to service the logon request.
+     0XC0000133 - Clocks between DC and other computer too far out of sync.
+     0XC0000192 An attempt was made to logon, but the Netlogon service was not started.
+     0xc00000dc - DC is in shutdown phase, it will normally tell current clients to use another DC for authentication.
+  */
+  not winlog.event_data.Status in ("0xc000015b", "0xc000005e", "0xc0000133", "0xc0000192", "0xc00000dc")
+// truncate the timestamp to a 60-second window
+| eval Esql.time_window = date_trunc(60 seconds, @timestamp)
+| stats Esql.failed_auth_count = COUNT(*), Esql.target_user_name_values = VALUES(winlog.event_data.TargetUserName), Esql.user_domain_values = VALUES(user.domain), Esql.error_codes = VALUES(winlog.event_data.Status) by winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type
+| where Esql.failed_auth_count >= 50
+| KEEP winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type, Esql.*
 '''
 
 

rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/11/14"
+updated_date = "2025/12/11"
 
 [transform]
 [[transform.osquery]]
@@ -38,8 +38,7 @@ Adversaries will often brute force login attempts across multiple users with a c
 to gain access to accounts.
 """
 from = "now-9m"
-index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
-language = "eql"
+language = "esql"
 license = "Elastic License v2"
 name = "Multiple Logon Failure from the same Source Address"
 note = """## Triage and analysis
@@ -117,24 +116,29 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Windows Security Event Logs",
 ]
-type = "eql"
+timestamp_override = "event.ingested"
+type = "esql"
 
 query = '''
-sequence by winlog.computer_name, source.ip with maxspan=10s
-  [authentication where host.os.type == "windows" and event.action == "logon-failed" and
-    /* event 4625 need to be logged */
-    winlog.logon.type : "Network" and
-    source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and
-    not user.name : ("ANONYMOUS LOGON", "-", "*$") and not user.domain == "NT AUTHORITY" and
-
-    /*
-    noisy failure status codes often associated to authentication misconfiguration :
+from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index
+| where event.category == "authentication" and host.os.type == "windows" and event.action == "logon-failed" and
+  winlog.logon.type == "Network" and source.ip is not null and winlog.computer_name is not null and
+  not cidr_match(TO_IP(source.ip), "127.0.0.0/8", "::1") and
+  not user.name in ("ANONYMOUS LOGON", "-") and not user.name like "*$" and user.domain != "NT AUTHORITY" and
+  /*
+    noisy failure status codes often associated to authentication misconfiguration
      0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.
-     0XC000005E	- There are currently no logon servers available to service the logon request.
-     0XC0000133	- Clocks between DC and other computer too far out of sync.
-     0XC0000192	An attempt was made to logon, but the Netlogon service was not started.
-    */
-    not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=10
+     0XC000005E - There are currently no logon servers available to service the logon request.
+     0XC0000133 - Clocks between DC and other computer too far out of sync.
+     0XC0000192 An attempt was made to logon, but the Netlogon service was not started.
+     0xc00000dc - DC is in shutdown phase, it will normally tell current clients to use another DC for authentication.
+  */
+  not winlog.event_data.Status in ("0xc000015b", "0xc000005e", "0xc0000133", "0xc0000192", "0xc00000dc")
+// truncate the timestamp to a 60-second window
+| eval Esql.time_window = date_trunc(60 seconds, @timestamp)
+| stats Esql.failed_auth_count = COUNT(*), Esql.target_user_name_values = VALUES(winlog.event_data.TargetUserName), Esql.user_domain_values = VALUES(user.domain), Esql.error_codes = VALUES(winlog.event_data.Status) by winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type
+| where Esql.failed_auth_count >= 100
+| KEEP winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type, Esql.*
 '''
 
 

rules/windows/credential_access_lsass_openprocess_api.toml

@@ -2,7 +2,7 @@
 creation_date = "2023/03/02"
 integration = ["endpoint", "m365_defender"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/12/11"
 
 [transform]
 [[transform.osquery]]
@@ -33,9 +33,9 @@ authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.resu
 [rule]
 author = ["Elastic"]
 description = "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.\n"
-from = "now-9m"
-index = ["logs-endpoint.events.api-*", "logs-m365_defender.event-*"]
-language = "eql"
+from = "now-30m"
+interval = "15m"
+language = "esql"
 license = "Elastic License v2"
 name = "LSASS Process Access via Windows API"
 note = """## Triage and analysis
@@ -116,71 +116,35 @@ tags = [
     "Resources: Investigation Guide"
 ]
 timestamp_override = "event.ingested"
-type = "eql"
+type = "esql"
 
 query = '''
-api where host.os.type == "windows" and 
-  process.Ext.api.name in ("OpenProcess", "OpenThread") and Target.process.name : "lsass.exe" and 
-  not 
-  (
-    process.executable : (
-        "?:\\ProgramData\\GetSupportService*\\Updates\\Update_*.exe",
-        "?:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe",
-        "?:\\Program Files (x86)\\Asiainfo Security\\OfficeScan Client\\NTRTScan.exe",
-        "?:\\Program Files (x86)\\Blackpoint\\SnapAgent\\SnapAgent.exe",
-        "?:\\Program Files (x86)\\CheckPoint\\Endpoint Security\\EFR\\EFRService.exe",
-        "?:\\Program Files (x86)\\CyberCNSAgent\\osqueryi.exe",
-        "?:\\Program Files (x86)\\cisco\\cisco anyconnect secure mobility client\\vpnagent.exe",
-        "?:\\Program Files (x86)\\cisco\\cisco anyconnect secure mobility client\\aciseagent.exe",
-        "?:\\Program Files (x86)\\cisco\\cisco anyconnect secure mobility client\\vpndownloader.exe",
-        "?:\\Program Files (x86)\\eScan\\reload.exe",
-        "?:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe",
-        "?:\\Program Files (x86)\\Kaspersky Lab\\*\\avp.exe",
-        "?:\\Program Files (x86)\\microsoft intune management extension\\microsoft.management.services.intunewindowsagent.exe",
-        "?:\\Program Files (x86)\\N-able Technologies\\Reactive\\bin\\NableReactiveManagement.exe",
-        "?:\\Program Files (x86)\\N-able Technologies\\Windows Agent\\bin\\agent.exe",
-        "?:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumClient.exe",
-        "?:\\Program Files (x86)\\Trend Micro\\*\\CCSF\\TmCCSF.exe",
-        "?:\\Program Files (x86)\\Trend Micro\\Security Agent\\TMASutility.exe",
-        "?:\\Program Files*\\Windows Defender\\MsMpEng.exe",
-        "?:\\Program Files\\Bitdefender\\Endpoint Security\\EPSecurityService.exe",
-        "?:\\Program Files\\Cisco\\AMP\\*\\sfc.exe",
-        "?:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe",
-        "?:\\Program Files\\EA\\AC\\EAAntiCheat.GameService.exe",
-        "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\agentbeat.exe",
-        "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\metricbeat.exe",
-        "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\osqueryd.exe",
-        "?:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-*\\components\\packetbeat.exe",
-        "?:\\Program Files\\ESET\\ESET Security\\ekrn.exe",
-        "?:\\Program Files\\Fortinet\\FortiClient\\FortiProxy.exe",
-        "?:\\Program Files\\Fortinet\\FortiClient\\FortiSSLVPNdaemon.exe",
-        "?:\\Program Files\\Goverlan Inc\\GoverlanAgent\\GovAgentx64.exe",
-        "?:\\Program Files\\Huntress\\HuntressAgent.exe",
-        "?:\\Program Files\\LogicMonitor\\Agent\\bin\\sbshutdown.exe",
-        "?:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe",
-        "?:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\*\\pmfexe.exe", 
-        "?:\\Program Files\\Microsoft Security Client\\MsMpEng.exe",
-        "?:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe",
-        "?:\\Program Files\\smart-x\\controlupagent\\version*\\cuagent.exe",
-        "?:\\Program Files\\TDAgent\\ossec-agent\\ossec-agent.exe",
-        "?:\\Program Files\\Topaz OFD\\Warsaw\\core.exe",
-        "?:\\Program Files\\Trend Micro\\Deep Security Agent\\netagent\\tm_netagent.exe",
-        "?:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe",
-        "?:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe",
-        "?:\\Program Files\\Wise\\Wise Memory Optimizer\\WiseMemoryOptimzer.exe",
-        "?:\\Windows\\AdminArsenal\\PDQDeployRunner\\*\\exec\\Sysmon64.exe",
-        "?:\\Windows\\Sysmon.exe",
-        "?:\\Windows\\Sysmon64.exe",
-        "?:\\Windows\\System32\\csrss.exe",
-        "?:\\Windows\\System32\\MRT.exe",
-        "?:\\Windows\\System32\\msiexec.exe",
-        "?:\\Windows\\System32\\taskhostw.exe",
-        "?:\\Windows\\System32\\RtkAudUService64.exe",
-        "?:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
-        "?:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe",
-        "?:\\Windows\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe"
-    ) and not ?process.code_signature.trusted == false
-  )
+from logs-endpoint.events.api-*, logs-m365_defender.event-* metadata _id, _version, _index
+
+| where event.category == "api" and host.os.family == "windows" and
+   process.Ext.api.name in ("OpenProcess", "OpenThread", "ReadProcessMemory") and
+   Target.process.name == "lsass.exe" and process.executable is not null and
+
+   // Noisy patterns
+   not to_lower(process.executable) like """c:\\program files\\*.exe""" and
+   not to_lower(process.executable) like """c:\\program files (x86)\\*.exe""" and
+   not process.executable like """C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\MsMpEng.exe""" and
+   not process.executable like """C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe""" and
+   not process.executable like """C:\\Program Files\\*.exe""" and not process.executable like """C:\\Program Files (x86)\\*.exe"""
+
+ /* normalize process paths to reduce known random patterns in process.executable */
+| eval Esql.process_path = replace(process.executable, """([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}|ns[a-z][A-Z0-9]{3,4}\.tmp|DX[A-Z0-9]{3,4}\.tmp|7z[A-Z0-9]{3,5}\.tmp|[0-9\.\-\_]{3,})""", "")
+
+// Group by process path
+| stats Esql.access_count = count(*),
+        Esql.count_distinct_hosts = count_distinct(host.id),
+        Esql.host_id_values = VALUES(host.id),
+        Esql.process_pid_values = VALUES(process.entity_id),
+        Esql.user_name_values = VALUES(user.name) by Esql.process_path
+
+// Limit to rare instances
+| where Esql.count_distinct_hosts == 1 and Esql.access_count <= 3
+| keep  Esql.*
 '''
 
 

rules/windows/defense_evasion_indirect_exec_forfiles.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/02/03"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/11"
 
 [rule]
 author = ["Elastic"]
@@ -72,8 +72,9 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "windows" and event.type == "start" and
- (process.name : "forfiles.exe" or ?process.pe.original_file_name == "forfiles.exe") and process.args : ("/c", "-c")
+process where host.os.type == "windows" and event.type == "start" and user.id != "S-1-5-18" and
+ (process.name : "forfiles.exe" or ?process.pe.original_file_name == "forfiles.exe") and process.args : ("/c", "-c") and
+ not process.args : ("-d", "/d", "cmd /c copy @file*", "cmd /c DEL /Q /F @*", "cmd /c del @*", "D:\\*")
 '''
 
 

rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/03"
+updated_date = "2025/12/11"
 
 [transform]
 [[transform.osquery]]
@@ -42,10 +42,10 @@ from = "now-9m"
 index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Process Termination followed by Deletion"
+name = "Deprecated - Process Termination followed by Deletion"
 note = """## Triage and analysis
 
-### Investigating Process Termination followed by Deletion
+### Investigating Deprecated - Process Termination followed by Deletion
 
 This rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.