[Rule Tuning] Windows High Severity - 3

rules/windows/discovery_host_public_ip_address_lookup.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/08/20"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/05"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -72,7 +72,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-network where host.os.type == "windows" and dns.question.name != null and
+network where host.os.type == "windows" and dns.question.name != null and process.name != null and
 (
   process.name : ("MSBuild.exe", "mshta.exe", "wscript.exe", "powershell.exe", "pwsh.exe", "msiexec.exe", "rundll32.exe",
   "bitsadmin.exe", "InstallUtil.exe", "RegAsm.exe", "vbc.exe", "RegSvcs.exe", "python.exe", "regsvr32.exe", "dllhost.exe",
@@ -82,7 +82,7 @@ network where host.os.type == "windows" and dns.question.name != null and
 
   ?process.code_signature.subject_name : ("AutoIt Consulting Ltd", "OpenJS Foundation", "Python Software Foundation") or
 
-  ?process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe", "?\\Device\\HarddiskVolume?\\Users\\*.exe", "?\\Device\\HarddiskVolume?\\ProgramData\\*.exe")
+  ?process.executable : ("?:\\Users\\*.exe", "?:\\ProgramData\\*.exe")
  ) and
  dns.question.name :
          (

rules/windows/execution_pdf_written_file.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/09/12"
 
 [rule]
 author = ["Elastic"]
@@ -21,10 +21,10 @@ index = [
 interval = "60m"
 language = "eql"
 license = "Elastic License v2"
-name = "Execution of File Written or Modified by PDF Reader"
+name = "Deprecated - Execution of File Written or Modified by PDF Reader"
 note = """## Triage and analysis
 
-### Investigating Execution of File Written or Modified by PDF Reader
+### Investigating Deprecated - Execution of File Written or Modified by PDF Reader
 
 PDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.
 
@@ -69,9 +69,9 @@ This rule searches for executable files written by PDF reader software and execu
     - Consider improvements to the security awareness program.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 """
-risk_score = 73
+risk_score = 21
 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b"
-severity = "high"
+severity = "low"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",

rules/windows/execution_powershell_susp_args_via_winscript.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/09/09"
 integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/26"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -76,7 +76,11 @@ type = "eql"
 
 query = '''
 process where host.os.type == "windows" and event.type == "start" and
-  process.name : ("powershell.exe", "pwsh.exe", "cmd.exe") and
+  process.command_line != null and
+  (
+    process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe", "cmd.exe") or
+    ?process.pe.original_file_name : ("powershell.exe", "pwsh.dll", "powershell_ise.exe", "Cmd.Exe")
+  ) and
   process.parent.name : ("wscript.exe", "mshta.exe")
 '''
 

rules/windows/execution_via_mmc_console_file_unusual_path.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/06/19"
 integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/08/28"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -60,9 +60,9 @@ Microsoft Management Console (MMC) is a Windows utility that provides a framewor
 - Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
 - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 references = ["https://www.elastic.co/security-labs/grimresource"]
-risk_score = 73
+risk_score = 47
 rule_id = "7e23dfef-da2c-4d64-b11d-5f285b638853"
-severity = "high"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
@@ -93,7 +93,13 @@ process where host.os.type == "windows" and event.type == "start" and
         "?:\\Windows\\System32\\*.msc",
         "?:\\Windows\\SysWOW64\\*.msc",
         "?:\\Program files\\*.msc",
-        "?:\\Program Files (x86)\\*.msc"
+        "?:\\Program Files (x86)\\*.msc",
+        "?:\\Windows\\ADFS\\Microsoft.IdentityServer.msc"
+  ) and
+  not process.command_line : (
+    "C:\\Windows\\system32\\mmc.exe eventvwr.msc /s",
+    "mmc.exe eventvwr.msc /s",
+    "\"C:\\Windows\\System32\\mmc.exe\" CompMgmt.msc*"
   )
 '''
 

rules/windows/impact_mod_critical_os_files.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/09/01"
 integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/01"
+updated_date = "2025/09/11"
 
 [rule]
 author = ["Elastic"]
@@ -77,7 +77,7 @@ query = '''
 file where host.os.type == "windows" and event.type in ("change", "deletion") and
  file.name : ("winload.exe", "winlod.efi", "ntoskrnl.exe", "bootmgr") and
  file.path : ("?:\\Windows\\*", "\\Device\\HarddiskVolume*\\Windows\\*") and
- not process.executable : ("?:\\Windows\\System32\\poqexec.exe", "?\\Device\\HarddiskVolume*\\Windows\\System32\\poqexec.exe")
+ not process.executable : ("?:\\Windows\\System32\\poqexec.exe", "\\Device\\HarddiskVolume*\\Windows\\System32\\poqexec.exe")
 '''