Skip to content

Improved detections based on telemetry data#4011

Open
P4T12ICK wants to merge 9 commits intodevelopfrom
detection_improvements
Open

Improved detections based on telemetry data#4011
P4T12ICK wants to merge 9 commits intodevelopfrom
detection_improvements

Conversation

@P4T12ICK
Copy link
Copy Markdown
Collaborator

@P4T12ICK P4T12ICK commented Apr 13, 2026

Improved detections based on telemetry data

@patel-bhavin patel-bhavin added this to the v5.27.0 milestone Apr 14, 2026
nasbench
nasbench reviewed Apr 16, 2026
View reviewed changes
Comment thread detections/endpoint/possible_lateral_movement_powershell_spawn.yml
author: Mauricio Velazco, Michael Haag, Splunk
status: production
type: TTP
type: Anomaly
Copy link
Copy Markdown
Contributor

@nasbench nasbench Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you want to keep the score 50 for this?

Comment thread detections/endpoint/windows_msiexec_spawn_discovery_command.yml
search: |-
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name=msiexec.exe Processes.process_name IN ("powershell.exe", "pwsh.exe","cmd.exe", "nltest.exe","ipconfig.exe","systeminfo.exe")
WHERE Processes.parent_process_name=msiexec.exe Processes.process_name IN ("powershell.exe", "pwsh.exe", "nltest.exe","ipconfig.exe","systeminfo.exe")
Copy link
Copy Markdown
Contributor

@nasbench nasbench Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add reasoning for the filter, so that people do not add it in the future without consideration.

Comment thread detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml
"*;LS*",
"*;S-1-5-19*"
)
NOT Processes.process IN ("*McAfeeFramework*", "*mfefire*", "*mfemms*", "*mfevtp*", "*macmnsvc*", "*masvc*")
Copy link
Copy Markdown
Contributor

@nasbench nasbench Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a note in the rule to make people aware about this filter. So for those who do not use McAfee products make the necessary changes if they want

Comment thread detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml
WHERE `process_regsvr32`
AND
Processes.process="*/i*"
Processes.process="*/i*" AND NOT Processes.process="*Microsoft\\TeamsMeetingAddin*"
Copy link
Copy Markdown
Contributor

@nasbench nasbench Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a note in the FP section about this and teams

@nasbench nasbench modified the milestones: v5.27.0, v5.26.0 Apr 16, 2026
@nasbench
Copy link
Copy Markdown
Contributor

nasbench commented Apr 16, 2026

@P4T12ICK if you address these we can ship this in 5.26 next week

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasbench nasbench nasbench left review comments

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Detections

Projects

None yet

Milestone

v5.26.0

Development

Successfully merging this pull request may close these issues.

3 participants

@P4T12ICK @nasbench @patel-bhavin