[Rule Tuning] Suspicious Inter-Process Communication via Outlook elas…

…tic#3803 (elastic#3806) * Add "by host.id" argument to the sequence command in the rule query. * Update collection_email_outlook_mailbox_via_com.toml * Update non-ecs-schema.json --------- Co-authored-by: Andrei Rediu <[email protected]> Co-authored-by: Samirbous <[email protected]> Co-authored-by: Jonhnathan <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]>
shashank-elastic · Jul 3, 2024 · 5048bc2 · 5048bc2
1 parent 50f0fb3
commit 5048bc2
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
@@ -69,6 +69,7 @@
     "process.Ext.token.integrity_level_name": "keyword",
     "process.parent.Ext.real.pid": "long",
     "process.Ext.effective_parent.executable": "keyword",
+    "process.Ext.effective_parent.entity_id": "keyword",
     "process.Ext.effective_parent.name": "keyword",
     "file.Ext.header_bytes": "keyword",
     "file.Ext.entropy": "long",

diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/01/11"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/20"
 
 [rule]
 author = ["Elastic"]
@@ -43,9 +43,9 @@ sequence with maxspan=1m
       (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)
     )
   )
-] by process.executable
+] by process.entity_id
 [process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and
-  process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable
+  process.Ext.effective_parent.name != null] by process.Ext.effective_parent.entity_id
 '''