[Rule Tuning] Unusual Network Activity from a Windows System Binary

[tyler-mcadam]

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_network_connection_from_windows_binary.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

I may be missing something but it looks like this alert can FP because of the dns.question.name exclusions and the fact that the field won't appear in the connection records after the domain is resolved. Is there a reason not to limit the network portion to DNS lookups?

Example Data

msiexec process create -> msiexec queries acroipm2.adobe.com -> msiexec connects to the resolved IP

It looks like the DNS query is essentially being ignored because the rule only needs the process and the connection to X.X.X.X

[tyler-mcadam]

There are probably too many connections to an IP without DNS resolution, would it work if you put the DNS exclusions in a separate missing event?
[ process..... ]
[ network...... ]
![ network where dns.question.name : (......)]