[Rule Tuning] Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score (#5523) (#5686)

Add EQL exclusions for benign activity: Opera GX renderer children, Slack creating slack children, Node using playwright to create chrome process Python editors accessing reg.exe Logitech manager activity and Zabbix script paths.
2026-02-05 20:54:26 +00:00
parent 80968035bb
commit 64cca9e1ba
1 changed files with 9 additions and 2 deletions
@@ -2,7 +2,7 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint"]
 maturity = "production"
-updated_date = "2025/12/17"
+updated_date = "2026/02/05"

 [rule]
 author = ["Elastic"]
@@ -102,7 +102,14 @@ not (process.name : "opera.exe" and process.parent.name : "opera.exe") and
 not (process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and
     process.name : ("UCPDMgr.exe", "sdbinst.exe", "gpupdate.exe", "rundll32.exe", "taskhostw.exe", "taskeng.exe", "rdpclip.exe", "firefox.exe", "w3wp.exe")) and
 not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe") and
-not (process.name : "MpCmdRun.exe" and process.parent.name : ("MsMpEng.exe", "MpCmdRun.exe", "svchost.exe"))
+not (process.name : "MpCmdRun.exe" and process.parent.name : ("MsMpEng.exe", "MpCmdRun.exe", "svchost.exe")) and
+not (process.name : "slack.exe" and process.parent.name : "slack.exe") and
+not (process.name : "reg.exe" and process.parent.name : "pycharm64.exe") and
+not (process.name : "reg.exe" and process.parent.name : "rider64.exe") and
+not (process.name : "LogiLuUpdater.exe" and process.parent.name : "LogiOptionsMgr.exe") and
+not (process.name : "chrome.exe" and process.parent.name : "node.exe" and process.command_line  : "*playwright*") and
+not (process.name : "powershell.exe" and process.command_line : "*\\Zabbix_Scripts\\*.ps1*") and
+not (process.parent.name : "opera.exe" and process.command_line: "*--type=renderer*")
 '''