[Rule Tuning] Suspicious Inter-Process Communication via Outlook

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html

Other

1.85k stars 461 forks source link

[Rule Tuning] Suspicious Inter-Process Communication via Outlook #3803

Open ar3diu opened 1 week ago

ar3diu commented 1 week ago

Link to rule

https://github.com/elastic/detection-rules/blob/259efaf7165be7105a2fb990e3b7146ad6997f8f/rules/windows/collection_email_outlook_mailbox_via_com.toml#L17

Description

Both events in the sequence should be related to the same host. I encountered false positives where an alert was triggered for two events from two different hosts.

Example Data

sequence by host.id with maxspan=1m
[...] by process.executable
[...] by process.Ext.effective_parent.executable

w0rk3r commented 1 week ago

Hey @ar3diu, do you want to open a PR for this one or should I do it?

ar3diu commented 1 week ago

I just submitted it: https://github.com/elastic/detection-rules/pull/3806 (There is a warning there regarding the contributor agreement. I just signed it but probably hasn't been updated yet)