[Rule Tuning] Fix process.pe.original_file_name Conditions (#5101)

* [Rule Tuning] Fix process.pe.original_file_name Conditions * --
2025-09-15 09:06:23 -07:00
parent d69ede2508
commit 8d9822e8be
9 changed files with 22 additions and 28 deletions
@@ -2,7 +2,7 @@
 creation_date = "2020/12/04"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"

 [rule]
 author = ["Elastic"]
@@ -60,14 +60,6 @@ references = [
 ]
 risk_score = 47
 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21"
-setup = """## Setup
-
-If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
-events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
-Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
-`event.ingested` to @timestamp.
-For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
-"""
 severity = "medium"
 tags = [
    "Domain: Endpoint",
@@ -89,8 +81,8 @@ process where host.os.type == "windows" and event.type == "start" and
 (
  (
    (
-      process.name:"rar.exe" or ?process.code_signature.subject_name == "win.rar GmbH" or
-      ?process.pe.original_file_name == "Command line RAR"
+      process.name : ("rar.exe", "WinRAR.exe") or ?process.code_signature.subject_name == "win.rar GmbH" or
+      ?process.pe.original_file_name == "WinRAR.exe"
    ) and
    process.args == "a" and process.args : ("-hp*", "-p*", "/hp*", "/p*")
  ) or
@@ -2,7 +2,7 @@
 creation_date = "2021/11/22"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"

 [rule]
 author = ["Austin Songer"]
@@ -86,7 +86,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
  (
    process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
-    ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
+    ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
  ) and
  (
    process.args : "*Clear-History*" or
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"

 [rule]
 author = ["Elastic"]
@@ -88,7 +88,7 @@ process where host.os.type == "windows" and event.type == "start" and
  (
    (
      process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
-      ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
+      ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
    ) and
    process.args : "Clear-EventLog"
  )
@@ -2,7 +2,7 @@
 creation_date = "2021/07/20"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"

 [rule]
 author = ["Elastic"]
@@ -100,7 +100,7 @@ type = "eql"

 query = '''
 process where host.os.type == "windows" and event.type == "start" and
- (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")) and
+ (process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")) and
  process.args : ("*Add-MpPreference*", "*Set-MpPreference*") and
  process.args : ("*-Exclusion*")
 '''
@@ -2,7 +2,7 @@
 creation_date = "2021/07/07"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"

 [rule]
 author = ["Elastic"]
@@ -90,7 +90,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
  (
    process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
-    ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
+    ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
  ) and
  process.args : "Set-MpPreference" and process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*")
 '''
@@ -2,7 +2,7 @@
 creation_date = "2021/05/06"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"

 [rule]
 author = ["Elastic", "Ivan Ninichuck", "Austin Songer"]
@@ -90,7 +90,7 @@ process where host.os.type == "windows" and event.type == "start" and
  (
    (
      process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or
-      ?process.pe.original_file_name in ("pwsh.exe", "powershell.exe", "powershell_ise.exe")
+      ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
    ) and
 	  process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled"
  )  or
@@ -2,7 +2,7 @@
 creation_date = "2021/10/15"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"

 [rule]
 author = ["Austin Songer"]
@@ -96,7 +96,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
  (
    process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
-    ?process.pe.original_file_name in ("powershell.exe", "pwsh.dll", "powershell_ise.exe")
+    ?process.pe.original_file_name in ("PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE")
  ) and
  process.args : "*Set-NetFirewallProfile*" and
  process.args : "*-Enabled*" and process.args : "*False*" and
@@ -2,7 +2,7 @@
 creation_date = "2021/03/08"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"

 [rule]
 author = ["Elastic"]
@@ -85,8 +85,10 @@ type = "eql"
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
  process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and
-  (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or
-  ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
+  (
+    (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or
+    ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE"))
+  )
 '''


@@ -2,7 +2,7 @@
 creation_date = "2024/03/26"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"

 [rule]
 author = ["Elastic"]
@@ -86,7 +86,7 @@ query = '''
 process where host.os.type == "windows" and event.type == "start" and
  process.parent.name : "ScreenConnect.Service.exe" and
  (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or
-  ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
+  ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE"))
 '''