Merge pull request #768 from Yamato-Security/lessen-FPs-2024-11-09

lessen FPs
Yamato-Security · Nov 9, 2024 · 85e80d9 · 85e80d9
2 parents 662ec5b + c309d07
commit 85e80d9
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/config/exclude_rules.txt b/config/exclude_rules.txt
@@ -33,5 +33,10 @@ ab0d6f07-d3a5-dcce-b343-05bfd1a8b000 # "Windows Kernel and 3rd-Party Drivers Exp
 4574194d-e7ca-4356-a95c-21b753a1787e # User Guessing
 ffd622af-d049-449f-af5a-0492fdcc3a58 # PW Spray
 
+# FPs
+a4504cb2-23f6-6d94-5ae6-d6013cf1d995 # Suspicious Multiple File Rename Or Delete Occurred
+9f8b3bda-88a1-a216-2897-950cc5ca4aa4 # Quick Execution of a Series of Suspicious Commands (Sysmon 1)
+53facd0f-d88d-bab7-469e-a36211463245 # Quick Execution of a Series of Suspicious Commands (Sec 4688)
+
 # Test Files
 00000000-0000-0000-0000-000000000000 # TestFile
diff --git a/...sa/builtin/Security/LogonLogoff/Logon/Sec_4648_Med_ExplicitLogon_PW-Spray_Correlation.yml b/...sa/builtin/Security/LogonLogoff/Logon/Sec_4648_Med_ExplicitLogon_PW-Spray_Correlation.yml
@@ -18,6 +18,7 @@ correlation:
         - explicit_logon
     group-by:
         - IpAddress
+        - Computer
     timespan: 5m
     condition:
         gte: 5