[Rule Tuning] Hosts File Modified #5401
Description
Link to Rule
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
False positive on hosts file update by dockerprocess.
field: process.executable: C:\\Program Files\\Docker\\Docker\\InstallerCli.exefile.path: C:\\WINDOWS\\System32\\drivers\\etc\\hosts
Example Data
Alert data
_id: d85ef1f0d9252aab60b96a35dbb86c9b8d815b935109d20afcfd7ea588cf4094
_index: .internal.alerts-security.alerts-default-000006
_score: 1
fields:
'@timestamp':
- '2025-11-28T15:40:12.521Z'
data_stream.dataset:
- endpoint.events.file
data_stream.namespace:
- workstations
event.action:
- overwrite
event.category:
- file
event.created:
- '2025-11-28T15:30:46.940Z'
event.dataset:
- endpoint.events.file
event.id:
- OGG2D30H2MY2e8H5+++9XcX5
event.ingested:
- '2025-11-28T15:37:39.000Z'
event.sequence:
- 7004652
file.Ext.entropy:
- 4.840284796764179
file.Ext.header_bytes:
- efbbbf2320436f707972696768742028
file.name:
- hosts
file.path:
- C:\WINDOWS\System32\drivers\etc\hosts
file.path.text:
- C:\WINDOWS\System32\drivers\etc\hosts
file.size:
- 1829
host.id:
- 6b686c20-fbd7-45a2-ab4c-834e70565c5a
host.name:
- <redacted>
host.os.type:
- windows
message:
- Endpoint file event
process.Ext.code_signature.exists:
- true
process.Ext.code_signature.status:
- trusted
process.Ext.code_signature.subject_name:
- Docker Inc
process.Ext.code_signature.trusted:
- true
process.code_signature.exists:
- true
process.code_signature.status:
- trusted
process.code_signature.subject_name:
- Docker Inc
process.code_signature.trusted:
- true
process.executable:
- C:\Program Files\Docker\Docker\InstallerCli.exe
process.executable.text:
- C:\Program Files\Docker\Docker\InstallerCli.exe
process.name:
- InstallerCli.exe
process.name.text:
- InstallerCli.exe
process.parent.pid:
- 32740
process.pid:
- 3200
process.thread.id:
- 5344
user.domain:
- NT AUTHORITY
user.id:
- S-1-5-18
user.name:
- SYSTEM
user.name.text:
- SYSTEM