From a4ecfe3ccf55005cd5bbe13ca506bfe3af0d69f6 Mon Sep 17 00:00:00 2001
From: Susan <23287722+susan-shu-c@users.noreply.github.com>
Date: Thu, 14 Mar 2024 15:51:02 -0400
Subject: [PATCH] Beaconing - Add whitelist to rules, with some more processes
 (#3497)

* Add whitelist to rules, with some more processes

* Update rules exceptionlist

* Update exceptions

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
---
 .../integrations/beaconing/command_and_control_beaconing.toml  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/integrations/beaconing/command_and_control_beaconing.toml b/rules/integrations/beaconing/command_and_control_beaconing.toml
index 8f568cefa..6d3482967 100644
--- a/rules/integrations/beaconing/command_and_control_beaconing.toml
+++ b/rules/integrations/beaconing/command_and_control_beaconing.toml
@@ -50,7 +50,8 @@ type = "query"
 timestamp_override = "event.ingested"
 
 query = '''
-beacon_stats.is_beaconing: true
+beacon_stats.is_beaconing: true and
+not process.name: ("WaAppAgent.exe" or "metricbeat.exe" or "packetbeat.exe" or "WindowsAzureGuestAgent.exe" or "HealthService.exe" or "Widgets.exe" or "lsass.exe" or "msedgewebview2.exe" or "MsMpEng.exe" or "OUTLOOK.EXE" or "msteams.exe" or "FileSyncHelper.exe" or "SearchProtocolHost.exe" or "Creative Cloud.exe" or "ms-teams.exe" or "ms-teamsupdate.exe" or "curl.exe" or "rundll32.exe" or "MsSense.exe" or "wermgr.exe" or "java" or "olk.exe" or "iexplore.exe" or "NetworkManager" or "packetbeat" or "Ssms.exe" or "NisSrv.exe" or "gamingservices.exe" or "appidcertstorecheck.exe" or "POWERPNT.EXE" or "miiserver.exe" or "Grammarly.Desktop.exe" or "SnagitEditor.exe" or "CRWindowsClientService.exe")
 '''