[Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition (#5391)

* [Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition * Update defense_evasion_posh_obfuscation_proportion_special_chars.toml * ++, powershell.file.* * ++ --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2025-12-05 09:17:02 -03:00
parent f427735610
commit b8aedcd7aa
13 changed files with 32 additions and 39 deletions
@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -104,8 +104,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
    Esql.script_block_pattern_count,
    Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
    file.name,
    file.directory,
    file.path,
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -103,8 +103,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
    Esql.script_block_pattern_count,
    Esql.script_block_length,
    Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
    file.path,
    file.name,
    powershell.sequence,
@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -105,8 +105,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
    Esql.script_block_pattern_count,
    Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
    file.path,
    powershell.sequence,
    powershell.total,
@@ -2,7 +2,7 @@
 creation_date = "2025/04/15"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -101,8 +101,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
    Esql.script_block_pattern_count,
    Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
    file.path,
    powershell.sequence,
    powershell.total,
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -106,8 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
    Esql.script_block_ratio,
    Esql.script_block_length,
    Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
    file.directory,
    file.path,
    powershell.sequence,
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -106,8 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
    Esql.script_block_pattern_count,
    Esql.script_block_length,
    Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
    file.path,
    powershell.sequence,
    powershell.total,
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -107,8 +107,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
    Esql.script_block_pattern_count,
    Esql.script_block_length,
    Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
    file.path,
    file.directory,
    powershell.sequence,
@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -108,8 +108,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
    Esql.script_block_pattern_count,
    Esql.script_block_length,
    Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
    file.path,
    powershell.sequence,
    powershell.total,
@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -104,8 +104,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
 | keep
    Esql.script_block_pattern_count,
    Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
    file.path,
    powershell.sequence,
    powershell.total,
@@ -2,7 +2,7 @@
 creation_date = "2025/04/14"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -106,8 +106,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
    Esql.script_block_pattern_count,
    Esql.script_block_length,
    Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
    file.path,
    powershell.sequence,
    powershell.total,
@@ -2,7 +2,7 @@
 creation_date = "2025/04/03"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -105,8 +105,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
    Esql.script_block_pattern_count,
    Esql.script_block_length,
    Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
    file.path,
    file.directory,
    powershell.sequence,
@@ -2,7 +2,7 @@
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -113,8 +113,7 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
    Esql.script_block_length,
    Esql.script_block_ratio,
    Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
    file.path,
    powershell.sequence,
    powershell.total,
@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2025/04/16"
 integration = ["windows"]
 maturity = "production"
-updated_date = "2025/08/14"
+updated_date = "2025/12/01"

 [rule]
 author = ["Elastic"]
@@ -73,9 +73,9 @@ from logs-windows.powershell_operational* metadata _id, _version, _index
    Esql.script_block_length,
    Esql.script_block_ratio,
    Esql.script_block_tmp,
-    powershell.file.script_block_text,
-    powershell.file.script_block_id,
+    powershell.file.*,
    file.path,
+    file.directory,
    powershell.sequence,
    powershell.total,
    _id,
@@ -86,6 +86,11 @@ from logs-windows.powershell_operational* metadata _id, _version, _index

 // Filter for scripts with high special character ratio
 | where Esql.script_block_ratio > 0.30
+
+// Exclude Noisy Patterns
+| where not file.directory like "C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"
+  // ESQL requires this condition, otherwise it only returns matches where file.directory exists.
+  or file.directory IS NULL
 '''