chore: update evtx baseline to v0.8.2#5679
Merged
phantinuss merged 26 commits intomasterfrom Oct 9, 2025
Merged
Conversation
github-actions
bot
added
the
Maintenance
phantinuss
force-pushed
the
ci/update-evtx-checker
branch
from
9e87732 to
1251507
Compare
swachchhanda000
added
Bug
swachchhanda000
added
Review Needed
swachchhanda000
added
the
False-Positive Fix
phantinuss
commented
Oct 8, 2025
...ting/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
Outdated
Show resolved
Hide resolved
...ting/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml
Outdated
Show resolved
Hide resolved
...indows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml
Outdated
Show resolved
Hide resolved
...indows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml
Outdated
Show resolved
Hide resolved
rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml
Outdated
Show resolved
Hide resolved
rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml
Outdated
Show resolved
Hide resolved
rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml
Outdated
Show resolved
Hide resolved
rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml
Outdated
Show resolved
Hide resolved
rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml
Outdated
Show resolved
Hide resolved
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml
Outdated
Show resolved
Hide resolved
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR updates the EVTX baseline to version 0.8.2, which includes numerous filter refinements across Sigma detection rules to reduce false positives while maintaining detection coverage.
- Updates EVTX baseline version reference in workflows
- Adds comprehensive filters for legitimate software including antivirus products (Avira, AVG, Avast), Microsoft applications, and common development tools
- Refines existing filters with more specific path matching and additional legitimate process exclusions
Reviewed Changes
Copilot reviewed 65 out of 65 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/goodlog-tests.yml | Updates EVTX baseline version to v0.8.2 |
| .github/workflows/known-FPs.csv | Adds new known false positive patterns and consolidates existing ones |
| rules/windows/registry/registry_set/* | Adds filters for legitimate applications and refines existing detection logic |
| rules/windows/process_creation/* | Enhances filters for common software installations and system processes |
| rules/windows/image_load/* | Improves sideloading detection with better legitimate application exclusions |
| rules/windows/file/file_event/* | Refines file creation monitoring with enhanced system process filters |
| rules/windows/builtin/* | Updates security event filters for legitimate administrative activities |
| rules/windows/powershell/* | Enhances PowerShell monitoring with better module loading filters |
| rules-threat-hunting/* | Moves NTFS short name detection rule to threat hunting category |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml
Outdated
Show resolved
Hide resolved
rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml
Show resolved
Hide resolved
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
swachchhanda000
approved these changes
Oct 9, 2025
phantinuss
commented
Oct 9, 2025
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml
Outdated
Show resolved
Hide resolved
swachchhanda000
added
Awaiting Requested Review
nasbench
approved these changes
Oct 9, 2025
rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml
Outdated
Show resolved
Hide resolved
rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml
Outdated
Show resolved
Hide resolved
rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml
Outdated
Show resolved
Hide resolved
nasbench
added
Ready to Merge
and removed
Awaiting Requested Review
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
Changelog
chore: update evtx baseline to v0.8.2 and fix FPs
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions