Skip to content

[Rule Tuning] PowerShell Rules Revamp - 8#5705

Merged
w0rk3r merged 6 commits into
mainfrom
posh_7
Feb 11, 2026
Merged

[Rule Tuning] PowerShell Rules Revamp - 8#5705
w0rk3r merged 6 commits into
mainfrom
posh_7

Conversation

@w0rk3r
Copy link
Copy Markdown
Contributor

@w0rk3r w0rk3r commented Feb 9, 2026

Issues

BAU, part of https://github.com/elastic/ia-trade-team/issues/619

Summary

  • Updated the rule descriptions to be more accurate/informative
  • Adjusted/Rewrote the investigation guides to be more actionable
  • Adjusted queries to exclude FPs or expand the logic to cover possible FNs
  • Added highlighted/investigation fields to improve triage & investigation
  • Updated the setup instructions to point to our new docs page

@w0rk3r w0rk3r self-assigned this Feb 9, 2026
@w0rk3r w0rk3r added Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Feb 9, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 9, 2026

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 9, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ PowerShell Script with Token Impersonation Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell PSReflect Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Portable Executable Encoded in Powershell Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell HackTool Script by Function Names (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Malicious PowerShell Based on Alert Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Aegrah
Aegrah approved these changes Feb 11, 2026
View reviewed changes
Comment thread rules/windows/execution_posh_portable_executable.toml Outdated
Mikaayenson
Mikaayenson approved these changes Feb 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Mikaayenson Mikaayenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

small nit, otherwise lgtm with pending IG disclaimer updates

Comment thread rules/windows/execution_posh_psreflect.toml Outdated
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 11, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ PowerShell Script with Token Impersonation Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell PSReflect Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Portable Executable Encoded in Powershell Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell HackTool Script by Function Names (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Malicious PowerShell Based on Alert Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

w0rk3r
w0rk3r commented Feb 11, 2026
View reviewed changes
Comment thread rules/windows/execution_posh_portable_executable.toml Outdated
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 11, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ PowerShell Script with Token Impersonation Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell PSReflect Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Portable Executable Encoded in Powershell Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell HackTool Script by Function Names (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Malicious PowerShell Based on Alert Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@w0rk3r @Mikaayenson
Update rules/windows/execution_posh_psreflect.toml
5fd5c6d 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 11, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ PowerShell Script with Token Impersonation Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell PSReflect Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Portable Executable Encoded in Powershell Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell HackTool Script by Function Names (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Malicious PowerShell Based on Alert Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

w0rk3r
w0rk3r commented Feb 11, 2026
View reviewed changes
Comment thread rules/windows/execution_posh_hacktool_functions.toml Outdated
@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 11, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ PowerShell Script with Token Impersonation Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell PSReflect Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Portable Executable Encoded in Powershell Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell HackTool Script by Function Names (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Malicious PowerShell Based on Alert Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link
Copy Markdown

tradebot-elastic commented Feb 11, 2026
edited
Loading

⛔️ Test failed

Results
  • ❌ PowerShell Script with Token Impersonation Capabilities (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ PowerShell PSReflect Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Suspicious Portable Executable Encoded in Powershell Script (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential PowerShell HackTool Script by Function Names (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Potential Malicious PowerShell Based on Alert Correlation (esql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@w0rk3r w0rk3r merged commit 4980a3b into main Feb 11, 2026
15 of 19 checks passed
@w0rk3r w0rk3r deleted the posh_7 branch February 11, 2026 19:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@Aegrah Aegrah Aegrah approved these changes

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@Samirbous Samirbous Awaiting requested review from Samirbous

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

@eric-forte-elastic eric-forte-elastic Awaiting requested review from eric-forte-elastic

Assignees

@w0rk3r w0rk3r

Labels

backport: auto Domain: Endpoint OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@w0rk3r @tradebot-elastic @Mikaayenson @Aegrah