From fbfc696a86d3ec826fbd13fb8957d294f155dc17 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 26 Aug 2025 13:03:59 +0100 Subject: [PATCH] Update command_and_control_unusual_network_connection_to_suspicious_web_service.toml (#5008) --- ...ual_network_connection_to_suspicious_web_service.toml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml index 8da64a145..f2c7ee0cc 100644 --- a/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml +++ b/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/26" integration = ["endpoint"] maturity = "production" -updated_date = "2025/04/07" +updated_date = "2025/08/26" [rule] author = ["Elastic"] @@ -164,7 +164,10 @@ destination.domain : ( i.imgur.com or the.earth.li or *.trycloudflare.com -) +) and +not (destination.domain : (*.sharepoint.com or *.azurewebsites.net or "onedrive.live.com" or *.b-cdn.net or api.onedrive.com or "drive.google.com" or *.blogspot.com) and process.code_signature.subject_name:(*Microsoft* or "Software Signing" or "Apple Mac OS Application Signing" or *VMware*) and process.code_signature.trusted:true) and +not (process.code_signature.subject_name:(*Mozilla* or *Google* or *Brave* or *Opera* or "Software Signing" or *Zscaler* or *Browser*) and process.code_signature.trusted:true) and +not (destination.domain :("discord.com" or cdn.discordapp.com or "content.dropboxapi.com" or "dl.dropboxusercontent.com") and process.code_signature.subject_name :(*Discord* or *Dropbox*) and process.code_signature.trusted:true) ''' [[rule.threat]] @@ -191,4 +194,4 @@ value = ["host.id", "process.executable", "destination.domain"] [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" \ No newline at end of file +value = "now-7d"