You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
False Positives - Reducing benign events mistakenly identified as threats.
Description
When OneDrive starts up, it triggers an alert. To remove false positives, add the following exclusion to the existing rule: \\OneDrive Startup Task-S-1-5-21*
The next part is not necessary to make the rule work but might be worth looking into:
The required field winlog.event_data.TaskName needs to be updated. It is currently reported as unknown. Setting it as a keyword removes the error:
Example Data
Suggested solution:
query = '''
iam where event.action == "scheduled-task-updated" and
/* excluding tasks created by the computer account /
not user.name : "$" and
not winlog.event_data.TaskName : "Microsoft" and
not winlog.event_data.TaskName :
("\User_Feed_Synchronization-",
"\OneDrive Startup Task-S-1-5-21",
"\OneDrive Reporting Task-S-1-5-21*",
"\OneDrive Reporting Task-S-1-12-1-",
"\Hewlett-Packard\HP Web Products Detection",
"\Hewlett-Packard\HPDeviceCheck",
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant",
"\IpamDnsProvisioning",
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantAllUsersRun",
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun",
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun",
"\Microsoft\Windows\.NET Framework\.NET Framework NGEN v",
"\Microsoft\VisualStudio\Updates\BackgroundDownload") and
not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20")
'''
winlog.event_data.TaskName set to keyword:
The text was updated successfully, but these errors were encountered:
Link to Rule
https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_scheduled_task_updated.toml
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
When OneDrive starts up, it triggers an alert. To remove false positives, add the following exclusion to the existing rule:
\\OneDrive Startup Task-S-1-5-21*The next part is not necessary to make the rule work but might be worth looking into:
The required field winlog.event_data.TaskName needs to be updated. It is currently reported as unknown. Setting it as a keyword removes the error:
Example Data
Suggested solution:
query = '''
iam where event.action == "scheduled-task-updated" and
/* excluding tasks created by the computer account /
not user.name : "$" and
not winlog.event_data.TaskName : "Microsoft" and
not winlog.event_data.TaskName :
("\User_Feed_Synchronization-",
"\OneDrive Startup Task-S-1-5-21",
"\OneDrive Reporting Task-S-1-5-21*",
"\OneDrive Reporting Task-S-1-12-1-",
"\Hewlett-Packard\HP Web Products Detection",
"\Hewlett-Packard\HPDeviceCheck",
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant",
"\IpamDnsProvisioning",
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantAllUsersRun",
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun",
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun",
"\Microsoft\Windows\.NET Framework\.NET Framework NGEN v",
"\Microsoft\VisualStudio\Updates\BackgroundDownload") and
not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20")
'''
winlog.event_data.TaskName set to keyword:
The text was updated successfully, but these errors were encountered: