[Tuning] Windows Discovery Rule Tuning for UEBA #3097
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Aegrah
added
Rule: Tuning
Aegrah
commented
Sep 14, 2023
…elastic/detection-rules into win-rule-tuning-and-conversion-for-UEBA
Co-authored-by: Samirbous <[email protected]>
Co-authored-by: Samirbous <[email protected]>
Co-authored-by: Samirbous <[email protected]>
Co-authored-by: Samirbous <[email protected]>
Co-authored-by: Samirbous <[email protected]>
w0rk3r
reviewed
Oct 10, 2023
Co-authored-by: Jonhnathan <[email protected]>
rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
Outdated
Show resolved
Hide resolved
|
|
||
| [rule.new_terms] | ||
| field = "new_terms_fields" | ||
| value = ["host.id", "user.id", "process.command_line"] |
There was a problem hiding this comment.
do we think command line will still result in too many results? Alternative options would be parent process or convert this to a BBR
There was a problem hiding this comment.
or process.executable
There was a problem hiding this comment.
I think a first good step would be to try it out like this. I am quite sure this should suffice and reduce noise by a lot. Not all of these rules have representative process child or process parent. That's what the signal rule below this one is for.
| timestamp_override = "event.ingested" | ||
| building_block_type = "default" |
There was a problem hiding this comment.
lets put this field alphabetically across all of these rules
There was a problem hiding this comment.
Never noticed these were alphabetically ordered. That makes sense. Will do!
| type = "new_terms" | ||
| query = ''' | ||
| host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:( | ||
| "d68e95ad-1c82-4074-a12a-125fe10ac8ba" or "7b8bfc26-81d2-435e-965c-d722ee397ef1" or |
There was a problem hiding this comment.
idea:
we may want to consider adding a unit test where, when kibana.alert.rule.rule_id exists as a field in the query, the value rule IDs are verified to exist, to stay synced in cases of deprecations
There was a problem hiding this comment.
in a separate PR of course
…mdline.toml Co-authored-by: Justin Ibarra <[email protected]>
protectionsmachine
pushed a commit
that referenced
this pull request
Oct 11, 2023
* [Tuning] Win DR Tuning for UEBA * Need to get used to Windows formatting * Added additional content * Updated min stack * Added additional tuning * Fixed unit testing for KQL optimization * Update rules_building_block/discovery_internet_capabilities.toml * Additional tuning * Kuery optimization * Additional tuning * Additional tuning * Additional tuning * Additional tuning * Unit testing optimization fix * optimization * tuning * Optimization * Update rules/windows/discovery_privileged_localgroup_membership.toml * Added feedback * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_remote_system_discovery_commands_windows.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_system_service_discovery.toml Co-authored-by: Justin Ibarra <[email protected]> * added host.id as additional new_terms field * Reworked a lot. * kibana.alert.rule.rule_id to non-ecs-schema.json * Fixed index by adding a dot * fixed typo * Added host.os.type:windows for signals * Added additional tag * Added Higher-Order Rule tag * Stripped down signal rules down to two * revert * Update rules/windows/discovery_admin_recon.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_generic_registry_query.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_system_time_discovery.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Samirbous <[email protected]> * Update discovery_generic_registry_query.toml * Readded exclusions * Added trailing wildcards for KQL * Update discovery_privileged_localgroup_membership.toml * Update rules_building_block/discovery_signal_unusual_user_host.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml Co-authored-by: Justin Ibarra <[email protected]> * Formatting fix --------- Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Samirbous <[email protected]> Co-authored-by: Jonhnathan <[email protected]> Removed changes from: - rules/windows/discovery_privileged_localgroup_membership.toml - rules_building_block/discovery_generic_registry_query.toml - rules_building_block/discovery_internet_capabilities.toml (selectively cherry picked from commit 4cdf521)
protectionsmachine
pushed a commit
that referenced
this pull request
Oct 11, 2023
* [Tuning] Win DR Tuning for UEBA * Need to get used to Windows formatting * Added additional content * Updated min stack * Added additional tuning * Fixed unit testing for KQL optimization * Update rules_building_block/discovery_internet_capabilities.toml * Additional tuning * Kuery optimization * Additional tuning * Additional tuning * Additional tuning * Additional tuning * Unit testing optimization fix * optimization * tuning * Optimization * Update rules/windows/discovery_privileged_localgroup_membership.toml * Added feedback * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_remote_system_discovery_commands_windows.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_system_service_discovery.toml Co-authored-by: Justin Ibarra <[email protected]> * added host.id as additional new_terms field * Reworked a lot. * kibana.alert.rule.rule_id to non-ecs-schema.json * Fixed index by adding a dot * fixed typo * Added host.os.type:windows for signals * Added additional tag * Added Higher-Order Rule tag * Stripped down signal rules down to two * revert * Update rules/windows/discovery_admin_recon.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_generic_registry_query.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_system_time_discovery.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Samirbous <[email protected]> * Update discovery_generic_registry_query.toml * Readded exclusions * Added trailing wildcards for KQL * Update discovery_privileged_localgroup_membership.toml * Update rules_building_block/discovery_signal_unusual_user_host.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml Co-authored-by: Justin Ibarra <[email protected]> * Formatting fix --------- Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Samirbous <[email protected]> Co-authored-by: Jonhnathan <[email protected]> Removed changes from: - rules/windows/discovery_privileged_localgroup_membership.toml - rules_building_block/discovery_generic_registry_query.toml - rules_building_block/discovery_internet_capabilities.toml (selectively cherry picked from commit 4cdf521)
protectionsmachine
pushed a commit
that referenced
this pull request
Oct 11, 2023
* [Tuning] Win DR Tuning for UEBA * Need to get used to Windows formatting * Added additional content * Updated min stack * Added additional tuning * Fixed unit testing for KQL optimization * Update rules_building_block/discovery_internet_capabilities.toml * Additional tuning * Kuery optimization * Additional tuning * Additional tuning * Additional tuning * Additional tuning * Unit testing optimization fix * optimization * tuning * Optimization * Update rules/windows/discovery_privileged_localgroup_membership.toml * Added feedback * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_remote_system_discovery_commands_windows.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_system_service_discovery.toml Co-authored-by: Justin Ibarra <[email protected]> * added host.id as additional new_terms field * Reworked a lot. * kibana.alert.rule.rule_id to non-ecs-schema.json * Fixed index by adding a dot * fixed typo * Added host.os.type:windows for signals * Added additional tag * Added Higher-Order Rule tag * Stripped down signal rules down to two * revert * Update rules/windows/discovery_admin_recon.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_generic_registry_query.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_system_time_discovery.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Samirbous <[email protected]> * Update discovery_generic_registry_query.toml * Readded exclusions * Added trailing wildcards for KQL * Update discovery_privileged_localgroup_membership.toml * Update rules_building_block/discovery_signal_unusual_user_host.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml Co-authored-by: Justin Ibarra <[email protected]> * Formatting fix --------- Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Samirbous <[email protected]> Co-authored-by: Jonhnathan <[email protected]> Removed changes from: - rules/windows/discovery_privileged_localgroup_membership.toml - rules_building_block/discovery_generic_registry_query.toml - rules_building_block/discovery_internet_capabilities.toml (selectively cherry picked from commit 4cdf521)
protectionsmachine
pushed a commit
that referenced
this pull request
Oct 11, 2023
* [Tuning] Win DR Tuning for UEBA * Need to get used to Windows formatting * Added additional content * Updated min stack * Added additional tuning * Fixed unit testing for KQL optimization * Update rules_building_block/discovery_internet_capabilities.toml * Additional tuning * Kuery optimization * Additional tuning * Additional tuning * Additional tuning * Additional tuning * Unit testing optimization fix * optimization * tuning * Optimization * Update rules/windows/discovery_privileged_localgroup_membership.toml * Added feedback * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_remote_system_discovery_commands_windows.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_system_service_discovery.toml Co-authored-by: Justin Ibarra <[email protected]> * added host.id as additional new_terms field * Reworked a lot. * kibana.alert.rule.rule_id to non-ecs-schema.json * Fixed index by adding a dot * fixed typo * Added host.os.type:windows for signals * Added additional tag * Added Higher-Order Rule tag * Stripped down signal rules down to two * revert * Update rules/windows/discovery_admin_recon.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_generic_registry_query.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_system_time_discovery.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Samirbous <[email protected]> * Update discovery_generic_registry_query.toml * Readded exclusions * Added trailing wildcards for KQL * Update discovery_privileged_localgroup_membership.toml * Update rules_building_block/discovery_signal_unusual_user_host.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml Co-authored-by: Justin Ibarra <[email protected]> * Formatting fix --------- Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Samirbous <[email protected]> Co-authored-by: Jonhnathan <[email protected]> (cherry picked from commit 4cdf521)
protectionsmachine
pushed a commit
that referenced
this pull request
Oct 11, 2023
* [Tuning] Win DR Tuning for UEBA * Need to get used to Windows formatting * Added additional content * Updated min stack * Added additional tuning * Fixed unit testing for KQL optimization * Update rules_building_block/discovery_internet_capabilities.toml * Additional tuning * Kuery optimization * Additional tuning * Additional tuning * Additional tuning * Additional tuning * Unit testing optimization fix * optimization * tuning * Optimization * Update rules/windows/discovery_privileged_localgroup_membership.toml * Added feedback * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_remote_system_discovery_commands_windows.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_system_service_discovery.toml Co-authored-by: Justin Ibarra <[email protected]> * added host.id as additional new_terms field * Reworked a lot. * kibana.alert.rule.rule_id to non-ecs-schema.json * Fixed index by adding a dot * fixed typo * Added host.os.type:windows for signals * Added additional tag * Added Higher-Order Rule tag * Stripped down signal rules down to two * revert * Update rules/windows/discovery_admin_recon.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_generic_registry_query.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_system_time_discovery.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Samirbous <[email protected]> * Update discovery_generic_registry_query.toml * Readded exclusions * Added trailing wildcards for KQL * Update discovery_privileged_localgroup_membership.toml * Update rules_building_block/discovery_signal_unusual_user_host.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml Co-authored-by: Justin Ibarra <[email protected]> * Formatting fix --------- Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Samirbous <[email protected]> Co-authored-by: Jonhnathan <[email protected]> (cherry picked from commit 4cdf521)
protectionsmachine
pushed a commit
that referenced
this pull request
Oct 11, 2023
* [Tuning] Win DR Tuning for UEBA * Need to get used to Windows formatting * Added additional content * Updated min stack * Added additional tuning * Fixed unit testing for KQL optimization * Update rules_building_block/discovery_internet_capabilities.toml * Additional tuning * Kuery optimization * Additional tuning * Additional tuning * Additional tuning * Additional tuning * Unit testing optimization fix * optimization * tuning * Optimization * Update rules/windows/discovery_privileged_localgroup_membership.toml * Added feedback * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_remote_system_discovery_commands_windows.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_system_service_discovery.toml Co-authored-by: Justin Ibarra <[email protected]> * added host.id as additional new_terms field * Reworked a lot. * kibana.alert.rule.rule_id to non-ecs-schema.json * Fixed index by adding a dot * fixed typo * Added host.os.type:windows for signals * Added additional tag * Added Higher-Order Rule tag * Stripped down signal rules down to two * revert * Update rules/windows/discovery_admin_recon.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_generic_registry_query.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_system_time_discovery.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Samirbous <[email protected]> * Update discovery_generic_registry_query.toml * Readded exclusions * Added trailing wildcards for KQL * Update discovery_privileged_localgroup_membership.toml * Update rules_building_block/discovery_signal_unusual_user_host.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml Co-authored-by: Justin Ibarra <[email protected]> * Formatting fix --------- Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Samirbous <[email protected]> Co-authored-by: Jonhnathan <[email protected]> (cherry picked from commit 4cdf521)
protectionsmachine
pushed a commit
that referenced
this pull request
Oct 11, 2023
* [Tuning] Win DR Tuning for UEBA * Need to get used to Windows formatting * Added additional content * Updated min stack * Added additional tuning * Fixed unit testing for KQL optimization * Update rules_building_block/discovery_internet_capabilities.toml * Additional tuning * Kuery optimization * Additional tuning * Additional tuning * Additional tuning * Additional tuning * Unit testing optimization fix * optimization * tuning * Optimization * Update rules/windows/discovery_privileged_localgroup_membership.toml * Added feedback * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_remote_system_discovery_commands_windows.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_system_service_discovery.toml Co-authored-by: Justin Ibarra <[email protected]> * added host.id as additional new_terms field * Reworked a lot. * kibana.alert.rule.rule_id to non-ecs-schema.json * Fixed index by adding a dot * fixed typo * Added host.os.type:windows for signals * Added additional tag * Added Higher-Order Rule tag * Stripped down signal rules down to two * revert * Update rules/windows/discovery_admin_recon.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_generic_registry_query.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_system_time_discovery.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Samirbous <[email protected]> * Update discovery_generic_registry_query.toml * Readded exclusions * Added trailing wildcards for KQL * Update discovery_privileged_localgroup_membership.toml * Update rules_building_block/discovery_signal_unusual_user_host.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml Co-authored-by: Justin Ibarra <[email protected]> * Formatting fix --------- Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Samirbous <[email protected]> Co-authored-by: Jonhnathan <[email protected]> (cherry picked from commit 4cdf521)
protectionsmachine
pushed a commit
that referenced
this pull request
Oct 11, 2023
* [Tuning] Win DR Tuning for UEBA * Need to get used to Windows formatting * Added additional content * Updated min stack * Added additional tuning * Fixed unit testing for KQL optimization * Update rules_building_block/discovery_internet_capabilities.toml * Additional tuning * Kuery optimization * Additional tuning * Additional tuning * Additional tuning * Additional tuning * Unit testing optimization fix * optimization * tuning * Optimization * Update rules/windows/discovery_privileged_localgroup_membership.toml * Added feedback * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_remote_system_discovery_commands_windows.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/windows/discovery_system_service_discovery.toml Co-authored-by: Justin Ibarra <[email protected]> * added host.id as additional new_terms field * Reworked a lot. * kibana.alert.rule.rule_id to non-ecs-schema.json * Fixed index by adding a dot * fixed typo * Added host.os.type:windows for signals * Added additional tag * Added Higher-Order Rule tag * Stripped down signal rules down to two * revert * Update rules/windows/discovery_admin_recon.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_generic_registry_query.toml Co-authored-by: Samirbous <[email protected]> * Update rules_building_block/discovery_system_time_discovery.toml Co-authored-by: Samirbous <[email protected]> * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Samirbous <[email protected]> * Update discovery_generic_registry_query.toml * Readded exclusions * Added trailing wildcards for KQL * Update discovery_privileged_localgroup_membership.toml * Update rules_building_block/discovery_signal_unusual_user_host.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml Co-authored-by: Justin Ibarra <[email protected]> * Formatting fix --------- Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Samirbous <[email protected]> Co-authored-by: Jonhnathan <[email protected]> (cherry picked from commit 4cdf521)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR will be updated as part of the Windows tuning for UEBA project. Details on the tuning can also be found #3093. This will remain in draft until I am done tuning (makes it easier to create notes).
Reviews
This PR will not get merged until reviewed by @Samirbous @brokensound77 and @w0rk3r, as I do not want to push any rule changes to production that we do not all agree on. I tuned these rules, however ya'll have a better understanding of these rules / Windows detection engineering in general. Any changes not agreed upon, will be reverted.
Windows Account or Group Discovery
Reduces hits from 16340 to 732 last 30 days over 47 unique clusters.
Process Discovery Using Built-in Tools
No additional tuning required, was already well tuned in #3018.
Query Registry using Built-in Tools
Converted this rule to new_terms rule type. Reason being, many FPs, and difficult to tune. Converting this to new_terms using a unique user.name and process.parent.command_line will allow to remove current exclusions (as these will be filtered by statistical anomaly detection) and reduce FPs further.
Discovery of Internet Capabilities via Built-in Tools
Converted to new_terms, will reduce hits back to a minimum and allow it to be a robust DR.
Potential Network Share Discovery
Too noisy, not sure how to fix. Will leave it for now.
PowerShell Script with Discovery Capabilities
Either convert to new_terms on user.name & file.path, or not use it. Will ask Jon what he thinks later.
PowerShell Script with Password Policy Discovery Capabilities
0 hits, we will have to check whether this rule works or not.
Windows System Network Connections Discovery
Converted to new_terms, should minimize noise a lot (given that 90% of the alerts were generated by 3 specific commands by the same user).
Windows System Information Discovery
Converted to new_terms, should reduce hits by 90-95% given that 90%+ of the hits are generated by 1 process.command_line. This is from 1 cluster, however.
AdFind Command Activity
Rule has only TPs. Will not require additional tuning.
Enumeration of Administrator Accounts
Excluded system user, should now be good to include in UEBA pack. 32k alerts back to 403 in the last 30 days.
Account Discovery Command via SYSTEM Account and Whoami Process Activity
These two rules generate a lot of noise. I will create a new new_terms rule for the UEBA pack that checks for unknown user.name.
Enumerating Domain Trusts via DSQUERY.EXE
Only 3 hits last year, only TPs. No change needed.
Enumerating Domain Trusts via NLTEST.EXE
This one needed a bit of tuning. Decreased hits from 604 back to 32 in the last 30 days.
System Information Discovery via Windows Command Shell
Converted to new_terms. 500k hits in last 30 days, not tunable.
Group Policy Discovery via Microsoft GPResult Utility
Good, 200 hits last 30 days, all TPs in 35 unique clusters.
Windows Network Enumeration
Converted to new_terms, didn't see another way of minimizing FPs.
Peripheral Device Discovery
This rule is good, only TPs and limited hits. No tuning needed.
PowerShell Share Enumeration Script
Rule has limited hits. Doesn't need tuning.
PowerShell Suspicious Discovery Related Windows API Functions
Quite a lot of hits, no telemetry available of what commands are actually being ran. Think this one is not useful for UEBA. Will discuss.
External IP Lookup from Non-Browser Process
Perfect candidate for new_terms. Converted it, had a lot of noise.
Enumeration of Privileged Local Groups Membership
Converted to new_terms. Had too many FPs, and was receiving a blacklist longer than 30 lines. New_terms best solution.
Remote System Discovery Commands
Converted to new_terms, a lot of hits. Will be less noisy.
Security Software Discovery using WMIC
Needed some tuning. Removed most FPs, should be good for UEBA now.
System Service Discovery through built-in Windows Utilities
Converted to new_terms, will reduce FPs back to a minimum.
System Time Discovery
Converted to new_terms, will reduce FPs back to a minimum.