[Rule Tuning] Misc GenAI Tuning (#6006)

rules/cross-platform/command_and_control_genai_process_unusual_domain.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/03/10"
+updated_date = "2026/04/29"
 
 [rule]
 author = ["Elastic"]
@@ -81,8 +81,7 @@ event.category:network and host.os.type:macos and event.action:connection_attemp
     "Windsurf Helper (Plugin)" or bunx or claude or codex or copilot or cursor or deno or
     gemini-cli or genaiscript or gpt4all or grok or jan or koboldcpp or llama-cli or
     llama-server or lmstudio or npx or ollama or pnpm or qwen or textgen or windsurf or yarn
-  ) or
-  (process.name:(node or node.exe) and process.command_line:(*openclaw* or *moltbot* or *clawdbot*))
+  )
 ) and destination.domain:(* and not (
     aka.ms or anthropic.com or atlassian.com or cursor.com or cursor.sh or github.com or
     gpt4all.io or hf.co or huggingface.co or lmstudio.ai or localhost or ollama.ai or

rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/04/21"
+updated_date = "2026/04/29"
 
 [rule]
 author = ["Elastic"]
@@ -101,11 +101,7 @@ file where event.action in ("open", "creation", "modification") and event.outcom
         "zed.exe", "zed",
         "opencode.exe", "opencode",
         "goose.exe", "goose"
-      ) or
-      // OpenClaw/Moltbot/Clawdbot family via Node.js
-      (process.name in~ ("node", "node.exe") and
-       process.command_line like~ ("*openclaw*", "*moltbot*", "*clawdbot*",
-                                   "*nemoclaw*", "*nanoclaw*", "*picoclaw*"))
+      )
     ) and
 
   // Sensitive file paths