From 4bfcbeab36c8cc8ffee6d498da22cfff6139ba62 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Wed, 1 Feb 2023 13:19:28 -0300
Subject: [PATCH] [Rule Tuning] Unusual Network Activity from a Windows System
 Binary (#2509)

* [Rule Tuning] Unusual Network Activity from a Windows System Binary

* Update defense_evasion_network_connection_from_windows_binary.toml
---
 ...evasion_network_connection_from_windows_binary.toml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
index d801bed1a..0f056604d 100644
--- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
+++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/01/31"
 
 [rule]
 author = ["Elastic"]
@@ -63,7 +63,13 @@ sequence by process.entity_id with maxspan=5m
       process.name : "MSBuild.exe" or
       process.name : "msdt.exe" or
       process.name : "mshta.exe" or
-      process.name : "msiexec.exe" or
+      (
+         process.name : "msiexec.exe" and not
+         dns.question.name : (
+            "ocsp.digicert.com", "ocsp.verisign.com", "ocsp.comodoca.com", "ocsp.entrust.net", "ocsp.usertrust.com",
+            "ocsp.godaddy.com", "ocsp.camerfirma.com", "ocsp.globalsign.com", "ocsp.sectigo.com", "*.local"
+         )
+      ) or
       process.name : "msxsl.exe" or
       process.name : "odbcconf.exe" or
       process.name : "rcsi.exe" or