[Testing] Unusual Parent-Child Relationship#6391
Closed
Mikaayenson wants to merge 1 commit into
Closed
Conversation
…98-4ee5-93ec-11d0bfc81988)
Contributor
Rule: Tuning - GuidelinesThese guidelines serve as a reminder set of considerations when tuning an existing rule. Documentation and Context
Rule Metadata Checks
Testing and Validation
|
|
⛔️ Test failed Results
|
Contributor
There was a problem hiding this comment.
Pull request overview
Tunes the Windows EQL detection rule “Unusual Parent-Child Relationship” to reduce false positives by expanding allowlists for specific benign parent/child process relationships observed in production telemetry.
Changes:
- Expands benign child allowlist for
conhost.exeto includecmd.exeandpowershell.exe. - Adds self-parent (and other) parent-process exceptions for multiple Windows system processes within the suspicious-parent clauses.
- Extends certain parent allowlists (e.g.,
smss.exeparent name andsvchost.exeparent names) to reduce additional benign noise.
| (process.name:"SearchProtocolHost.exe" and not process.parent.name:("SearchIndexer.exe", "dllhost.exe")) or | ||
| (process.name:"dllhost.exe" and not process.parent.name:("services.exe", "svchost.exe")) or | ||
| (process.name:"smss.exe" and not process.parent.name:("System", "smss.exe")) or | ||
| (process.name:("consent.exe", "RuntimeBroker.exe", "TiWorker.exe") and not process.parent.name:("svchost.exe", "Workplace Container Helper.exe", "consent.exe", "RuntimeBroker.exe", "TiWorker.exe")) or |
| (process.name:"taskhostw.exe" and not process.parent.name:("services.exe", "svchost.exe", "taskhostw.exe")) or | ||
| (process.name:"userinit.exe" and not process.parent.name:("dwm.exe", "winlogon.exe", "KUsrInit.exe")) or | ||
| (process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:"svchost.exe") or | ||
| (process.name:("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") and not process.parent.name:("svchost.exe", "wmiprvse.exe", "wsmprovhost.exe")) or |
| (process.name:"SearchIndexer.exe" and not process.parent.name:("services.exe", "SearchIndexer.exe")) or | ||
| (process.name:"SearchProtocolHost.exe" and not process.parent.name:("SearchIndexer.exe", "dllhost.exe", "SearchProtocolHost.exe")) or | ||
| (process.name:"dllhost.exe" and not process.parent.name:("services.exe", "svchost.exe", "dllhost.exe")) or | ||
| (process.name:"smss.exe" and not process.parent.name:("System", "smss.exe", "ntoskrnl.exe")) or |
| (process.name:"services.exe" and not process.parent.name:"wininit.exe") or | ||
| (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe", "svchost.exe")) or | ||
| (process.name:"spoolsv.exe" and not process.parent.name:("services.exe", "Workplace Starter.exe")) or | ||
| (process.name:"svchost.exe" and not process.parent.name:("MsMpEng.exe", "services.exe", "svchost.exe", "rpcnet.exe", "rpcnetp.exe")) or |
| (process.parent.name:"wermgr.exe" and not process.name:("WerFaultSecure.exe", "wermgr.exe", "WerFault.exe") and | ||
| not (process.name:"rundll32.exe" and process.command_line : "*WerConCpl.dll*LaunchErcApp*")) or | ||
| (process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe", "conhost.exe")) | ||
| (process.parent.name:"conhost.exe" and not process.name:("mscorsvw.exe", "wermgr.exe", "WerFault.exe", "WerFaultSecure.exe", "conhost.exe", "powershell.exe", "cmd.exe")) |
Contributor
Author
|
Testing. Closing. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves elastic/ia-trade-team#
Trigger context
35df0dd8-092d-4a83-88c1-5151a804f31bElastic Workflow — SIEM Rule Tuning PR (genai-tradecraft)
Summary
Tunes the Unusual Parent-Child Relationship (
35df0dd8) EQL rule to reduce false-positive volume caused by two broad benign pattern families observed across production telemetry.Classification
conhost.exe→cmd.exe/powershell.exeS-1-16-*)The SID-string parent name pattern accounts for the largest alert volume but is concentrated on only 2 clusters (likely a data-source mapping issue where
process.parent.nameis populated with Windows integrity-level SIDs). The rule's existingprocess.parent.executable like ("?:\\*", "\\Device\\*")guard should block these; the tuning below does not specifically target them but the query-level changes still yield a massive reduction on the patterns that fire broadly.Tuning changes
1.
conhost.exesuspicious-child clause — addcmd.exe,powershell.exeWindows headless console host (
conhost.exe --headless) legitimately spawnscmd.exeandpowershell.exe. This is standard OS behavior observed across 65+ clusters. Added both to the existing allowed-child list forconhost.exe.2. Self-parent exceptions for system processes
Several Windows system processes legitimately spawn instances of themselves during service restarts, COM surrogate re-hosting, WMI provider chaining, and Windows Update servicing. For each affected process, the process's own name was added to its allowed-parent list:
wmiprvse.exedllhost.exespoolsv.exetaskhostw.exeSearchProtocolHost.exeLogonUI.exeRuntimeBroker.exeTiWorker.exeSearchIndexer.execonsent.exeSimulation (30-day, latest rule version)
Detection gap risk: Low
svchost.exe,lsass.exe, etc.) are fully retained.KQL verification
Baseline (all alerts):
Excluded patterns:
Remaining (post-tuning):