search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.96k stars 499 forks source link

[Rule Tuning] Unusual Network Activity from a Windows System Binary #3104

Closed begin-thread closed 11 months ago

begin-thread commented 1 year ago

Link to rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_network_connection_from_windows_binary.toml

Description

Hi Team.

The alert was triggered after the installation of a software (github desktop on Windows)

After investigation, the IP responsible for the alert is :

destination.ip: "192.229.211.108"

I then looked for information about this IP, and it seems an addition to the IP list of digicert on Feb 2023, after you did the last change to the rules on January 2023

https://knowledge.digicert.com/alerts/new-dedicated-ip-addresses.html

I am looking forward to mark this alert as a false positive, but would like to see if my analysis is Ok and would allow a change in the rule.

Thanks!

Example Data

w0rk3r commented 1 year ago

Hey @begin-thread, sorry for taking a while to look at this one, thanks for reporting it, your analysis of it was awesome, and I validated it is a common activity and pushed a tuning to this rule as part of https://github.com/elastic/detection-rules/pull/3246 along with some other improvements. Please review, and if you have any Qs or suggestions, let me know! Thanks for the contribution

begin-thread commented 1 year ago

Hello @w0rk3r I am really really happy to hear that you accepted it, and thanks for the good comments about my analysis. It motivates me to continue working in my lab with detection rules!