[Rule Tuning] Potential Remote Credential Access via Registry (#2203)

* [Rule Tuning] Potential Remote Credential Access via Registry

Excluding some noisy FPs by file.path (user and machine hives std paths) and event.action (scoped to logged-in)

* Update credential_access_remote_sam_secretsdump.toml

rules/windows/credential_access_remote_sam_secretsdump.toml

@@ -3,7 +3,7 @@ creation_date = "2022/03/01"
 maturity = "production"
 min_stack_comments = "The field `file.Ext.header_bytes` was not introduced until 7.15"
 min_stack_version = "7.15.0"
-updated_date = "2022/05/09"
+updated_date = "2022/07/30"
 
 [rule]
 author = ["Elastic"]
@@ -78,11 +78,17 @@ type = "eql"
 query = '''
 sequence by host.id, user.id with maxspan=1m
  [authentication where
-   event.outcome == "success" and
+   event.outcome == "success" and event.action == "logged-in" and
    winlog.logon.type == "Network" and not user.name == "ANONYMOUS LOGON" and
    not user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and source.ip !="::1"]
  [file where event.action == "creation" and process.name : "svchost.exe" and
-  file.Ext.header_bytes : "72656766*" and user.id : "S-1-5-21-*" and file.size >= 30000]
+  file.Ext.header_bytes : "72656766*" and user.id : "S-1-5-21-*" and file.size >= 30000 and
+  not file.path :
+           ("?:\\Windows\\system32\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry",
+            "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat.LOG?",
+            "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat",
+            "?:\\Users\\*\\ntuser.dat.LOG?",
+            "?:\\Users\\*\\NTUSER.DAT")]
 '''