False positives on hunting rule

beshbesh · June 20, 2024, 7:39am

Hello,

The rule with 2011341, SID ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection seems to give me a false positive. When using Elastic and Winlogbeat to transfer logs over HTTP, this rule gets triggered. I noticed a few exclusions in this rule. I think another one should be added for winlogbeat. Some strings:

User-agent: “Elastic-winlogbeat/7.17.10 (windows; amd64; …” (truncated because I don’t know if there is any system-specific info in there).
URL: “/_bulk”.

I also think the severity is quite high given the false positive rate.

Thanks in advance!

ishaughnessy · June 20, 2024, 3:18pm

Hey @beshbesh,

Thanks for sharing! I’ll take a look and get an update out in today’s release.

Thanks!
Isaac

ishaughnessy · June 21, 2024, 3:40pm

@beshbesh - The updated rule should be live now. I did some hunting and found some FP’s for sentry.io stuff so I negated that too. This rule is probably prone to FP’s on traffic that is related to statistics or logs but I think negations are the right way to go since the rule is targeting the string C:\\WINDOWS\.

Thanks again for the report, let me know if you see any other issues!

Topic		Replies	Views
ET INFO PE EXE or DLL Windows file download HTTP (2018959), and Recent Tuning Rule Signatures	0	138	January 17, 2025
Ruleset Update Summary - 2023/04/18 - v10300 Ruleset Updates	0	329	April 18, 2023
False positive on rule #2032926 Rule Signatures	4	153	June 23, 2024
Addressing an FP: 2016950 - ET MALWARE Possible Win32/Hupigon ip.txt with a Non-Mozilla UA Rule Signatures etopen , false-positives , rule-analysis	0	225	October 2, 2023
Ruleset Update Summary - 2023/02/28 - v10255 Ruleset Updates	0	387	February 28, 2023

False positives on hunting rule

Related topics