False positives on hunting rule


The rule with 2011341, SID ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection seems to give me a false positive. When using Elastic and Winlogbeat to transfer logs over HTTP, this rule gets triggered. I noticed a few exclusions in this rule. I think another one should be added for winlogbeat. Some strings:

User-agent: “Elastic-winlogbeat/7.17.10 (windows; amd64; …” (truncated because I don’t know if there is any system-specific info in there).
URL: “/_bulk”.

I also think the severity is quite high given the false positive rate.

Thanks in advance!

Hey @beshbesh,

Thanks for sharing! I’ll take a look and get an update out in today’s release.


@beshbesh - The updated rule should be live now. I did some hunting and found some FP’s for sentry.io stuff so I negated that too. This rule is probably prone to FP’s on traffic that is related to statistics or logs but I think negations are the right way to go since the rule is targeting the string C:\\WINDOWS\.

Thanks again for the report, let me know if you see any other issues!