[Rule Tuning] Misc GenAI Tuning (#5825)

* tune credential_access_genai_process_sensitive_file_access.toml to reduce 74% noise on local state * tune defense_evasion_genai_config_modification.toml to conservatively reduce noise by 19% on file.path * tune command_and_control_genai_process_unusual_domain.toml to reduce 34% noise by domains * tune execution_openclaw_agent_child_process.toml to address 99 % of noise with ip/arp
2026-03-11 11:46:33 -05:00
parent ce3916f99f
commit 721ef0b9c7
4 changed files with 25 additions and 10 deletions
@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/02/03"
+updated_date = "2026/03/10"

 [rule]
 author = ["Elastic"]
@@ -99,8 +99,14 @@ event.category:network and host.os.type:macos and event.action:connection_attemp
    *.npmjs.org or *.ollama.ai or *.ollama.com or *.openai.com or *.pypi.org or
    *.r2.cloudflarestorage.com or *.segment.io or *.sentry.io or *.visualstudio.com or
    *.vsassets.io or *.vscode-cdn.net or *.windsurf.ai or *.x.ai or *.yarnpkg.com or
-    *.cartocdn.com or *.chatgpt.com or *.ggpht.com or *.recaptcha.net or *.shields.io or
-    *.travis-ci.com or *.travis-ci.org or *.ytimg.com or flagcdn.com or opencollective.com
+    *.cartocdn.com or *.chatgpt.com or *.claude.ai or *.claude.com or
+    *.claudeusercontent.com or *.ggpht.com or *.gstatic.com or *.googleusercontent.com or
+    *.launchpadcontent.net or *.pythonhosted.org or *.recaptcha.net or *.shields.io or
+    *.snapcraftcontent.com or *.snapcraft.io or *.stripe.com or *.travis-ci.com or
+    *.travis-ci.org or *.ubuntu.com or *.ytimg.com or
+    *.github.io or *.githubassets.com or *.jsdelivr.net or *.nodesource.com or
+    chatgpt.com or claude.ai or claude.com or flagcdn.com or gitlab.com or
+    opencollective.com or pypi.org
 ))
 '''

@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/02/03"
+updated_date = "2026/03/10"

 [rule]
 author = ["Elastic"]
@@ -131,7 +131,8 @@ file where event.action in ("open", "creation", "modification") and event.outcom
  ) and not (
    host.os.type == "windows" and
    process.name : ("claude.exe", "Claude") and
-    file.path : "?:\\Users\\*\\AppData\\Roaming\\Claude\\Local State"
+    file.path : ("?:\\Users\\*\\AppData\\Roaming\\Claude\\Local State",
+                 "?:\\Users\\*\\AppData\\Local\\Packages\\Claude_*\\LocalCache\\Roaming\\Claude\\Local State")
  )
 '''

@@ -2,7 +2,7 @@
 creation_date = "2025/12/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/02/03"
+updated_date = "2026/03/10"

 [rule]
 author = ["Elastic"]
@@ -86,11 +86,17 @@ file.path : (
    */.moltbot/* or */AppData/Roaming/Moltbot/* or
    */.config/openclaw/*
 ) and not (
-  file.extension : (lck or lock) or
+  file.extension : (lck or lock or log or png or marker) or
+  file.name : .DS_Store or
+  file.path : (
+    */.claude/cache/* or
+    */.claude/statsig/* or
+    */.codex/log/* or
+    */.codex/sessions/*
+  ) or
  (
    file.path : */.config/github-copilot/* and 
    file.name : (apps.json or versions.json or copilot*nitrite.db)
-    
  )
 )
 '''
@@ -2,7 +2,7 @@
 creation_date = "2026/02/02"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/02/02"
+updated_date = "2026/03/10"

 [rule]
 author = ["Elastic"]
@@ -75,7 +75,9 @@ query = '''
 process where event.type == "start" and
  process.parent.name : ("node", "node.exe") and 
  process.parent.command_line : ("*openclaw*", "*moltbot*", "*clawdbot*") and
-   process.name : ("bash", "sh", "zsh", "bash.exe", "cmd.exe", "powershell.exe", "curl.exe", "curl", "base64", "xattr", "osascript", "python*", "chmod", "certutil.exe", "rundll32.exe")
+   process.name : ("bash", "sh", "zsh", "bash.exe", "cmd.exe", "powershell.exe", "curl.exe", "curl", "base64", "xattr", "osascript", "python*", "chmod", "certutil.exe", "rundll32.exe") and
+   not process.command_line in ("/bin/sh -c ip neigh show", "/usr/bin/sh -c ip neigh show",
+                                "/bin/sh -c arp -a -n -l", "/usr/bin/sh -c arp -a -n -l")
 '''