From 64cca9e1ba2ae45d485805ccd7a1115cf698a4eb Mon Sep 17 00:00:00 2001
From: yuriShafet <5830215+yuriShafet@users.noreply.github.com>
Date: Thu, 5 Feb 2026 20:54:26 +0000
Subject: [PATCH] [Rule Tuning] Machine Learning Detected a Suspicious Windows
 Event with a High Malicious Probability Score (#5523) (#5686)

Add EQL exclusions for benign activity:
Opera GX renderer children,
Slack creating slack children,
Node using playwright to create chrome process
Python editors accessing reg.exe
Logitech manager activity
 and Zabbix script paths.
---
 ..._ml_suspicious_windows_event_high_probability.toml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
index e4f7721dd..c9d776c0b 100644
--- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
+++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/10/16"
 integration = ["problemchild", "endpoint"]
 maturity = "production"
-updated_date = "2025/12/17"
+updated_date = "2026/02/05"
 
 [rule]
 author = ["Elastic"]
@@ -102,7 +102,14 @@ not (process.name : "opera.exe" and process.parent.name : "opera.exe") and
 not (process.parent.executable : "C:\\Windows\\System32\\svchost.exe" and
      process.name : ("UCPDMgr.exe", "sdbinst.exe", "gpupdate.exe", "rundll32.exe", "taskhostw.exe", "taskeng.exe", "rdpclip.exe", "firefox.exe", "w3wp.exe")) and
 not process.executable : ("C:\\Program Files\\*.exe", "C:\\Program Files (x86)\\*.exe") and
-not (process.name : "MpCmdRun.exe" and process.parent.name : ("MsMpEng.exe", "MpCmdRun.exe", "svchost.exe"))
+not (process.name : "MpCmdRun.exe" and process.parent.name : ("MsMpEng.exe", "MpCmdRun.exe", "svchost.exe")) and
+not (process.name : "slack.exe" and process.parent.name : "slack.exe") and
+not (process.name : "reg.exe" and process.parent.name : "pycharm64.exe") and
+not (process.name : "reg.exe" and process.parent.name : "rider64.exe") and
+not (process.name : "LogiLuUpdater.exe" and process.parent.name : "LogiOptionsMgr.exe") and
+not (process.name : "chrome.exe" and process.parent.name : "node.exe" and process.command_line  : "*playwright*") and
+not (process.name : "powershell.exe" and process.command_line : "*\\Zabbix_Scripts\\*.ps1*") and
+not (process.parent.name : "opera.exe" and process.command_line: "*--type=renderer*")
 '''