Closed tehbooom closed 2 months ago
I talked with @tehbooom via Slack. He shared an alert json, and the process.parent.name
field is not populated, which causes the alert to still trigger. He is going to proceed with the Endpoint team to investigate why.
Link to Rule
https://github.com/elastic/detection-rules/blob/11636b159d88d25867ec75593ef5b9c4db647550/rules/cross-platform/impact_hosts_file_modified.toml
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
Still seeing false positives for this rule when endpoint installed on GCE instances.
Example Data
Im seeing a high number of alerts 1000+ a day