Skip to content

[Testing] Mofcomp Activity#6392

Closed
Mikaayenson wants to merge 1 commit into
mainfrom
tuning/210d4430-b371-470e-b879-80b7182aa75e
Closed

[Testing] Mofcomp Activity#6392
Mikaayenson wants to merge 1 commit into
mainfrom
tuning/210d4430-b371-470e-b879-80b7182aa75e

Conversation

@Mikaayenson

Copy link
Copy Markdown
Contributor

Resolves elastic/ia-trade-team#

Trigger context

Field Value
Rule
Rule ID ``
Rule type n/a

Elastic Workflow — SIEM Rule Tuning PR (genai-tradecraft)


Summary

Tunes Mofcomp Activity (210d4430) to exclude two dominant false-positive patterns that account for 98.4 % of version-pinned alerts over 30 days.

FP Classification

# Pattern Description 30-day alerts Clusters
1 msiexec.exe parent process MSI installer–driven MOF compilation during legitimate software installations (e.g., Microsoft Policy Platform, Dell Command Monitor, Microsoft System Center VMM, Dynamics AX, WMI provider registration/removal) 17,080 7
2 cscript.exe parent + ZTITatoo.mof Microsoft Deployment Toolkit (MDT) Zero Touch Installation tattooing — registers a WMI class for OS deployment tracking 342 2

Both patterns are well-known benign operations with no adversary utility beyond what is already covered by other detection rules (e.g., suspicious MSI child processes, unusual script execution).

Query Diff

 process where host.os.type == "windows" and event.type == "start" and
   process.name : "mofcomp.exe" and process.args : "*.mof" and
   not user.id : "S-1-5-18" and
+  not process.parent.name : "msiexec.exe" and
   not
   (
     process.parent.name : "ScenarioEngine.exe" and
     process.args : (
       "*\\MSSQL\\Binn\\*.mof",
       "*\\Microsoft SQL Server\\???\\Shared\\*.mof",
       "*\\OLAP\\bin\\*.mof"
     )
-  )
+  ) and
+  not
+  (
+    process.parent.name : "cscript.exe" and
+    process.args : "*\\ZTITatoo.mof"
+  )

Simulation (30 days, version-pinned v11)

Metric Baseline After Change
Alerts 17,374 276 −98.4 %
Clusters 34 30 −11.8 %
Agents 92 83 −9.8 %

Detection Gap Risk: Low

  • msiexec.exe → attacker-crafted MSI invoking mofcomp.exe is a theoretical vector, but MSI-based attacks are covered by dedicated rules (suspicious MSI child processes, unusual MSI execution context). The remaining detection surface retains cmd.exe, powershell.exe, WmiPrvSE.exe, installutil.exe, and other parent processes.
  • ZTITatoo.mof is a static MDT file with no attacker utility.
  • Rule retains 88 % of cluster coverage and 90 % of agent coverage.

Copilot AI review requested due to automatic review settings July 6, 2026 21:24
@Mikaayenson Mikaayenson added Rule: Tuning tweaking or tuning an existing rule genai-tradecraft labels Jul 6, 2026
@botelastic botelastic Bot added Domain: Endpoint OS: Windows windows related rules labels Jul 6, 2026
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

@tradebot-elastic

tradebot-elastic commented Jul 6, 2026

Copy link
Copy Markdown

⛔️ Test failed

Results
  • ❌ Mofcomp Activity (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@Mikaayenson Mikaayenson changed the title [Rule Tuning] Mofcomp Activity [Testing] Mofcomp Activity Jul 6, 2026
@Mikaayenson

Copy link
Copy Markdown
Contributor Author

Testing. Closing/

@Mikaayenson Mikaayenson closed this Jul 6, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Tunes the existing Windows EQL detection rule “Mofcomp Activity” to reduce alert noise by excluding two dominant benign parent-process patterns (MSI-driven installs and MDT ZTITatoo MOF compilation).

Changes:

  • Updated updated_date to reflect the tuning date.
  • Added EQL exclusions for msiexec.exe parent process and cscript.exe compiling ZTITatoo.mof.
  • Updated the investigation guide false-positive analysis to document the new exclusions.

Comment on lines +47 to 50
not process.parent.name : "msiexec.exe" and
not
(
process.parent.name : "ScenarioEngine.exe" and
Comment on lines +99 to +100
- MSI installer-driven MOF compilation during software installations (e.g., Microsoft Policy Platform, Dell Command Monitor, System Center VMM) is excluded by filtering out msiexec.exe as a parent process.
- Microsoft Deployment Toolkit (MDT) Zero Touch Installation tattooing via cscript.exe compiling ZTITatoo.mof is excluded as a known benign deployment operation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport: auto Domain: Endpoint genai-tradecraft OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants