Samirbous
Samirbous
@jaimeatwork that's awesome, I think a PR branch to branch will be good.
@terrancedejesus 👍 moved the two ones that passed the checks to a different PR to avoid dependency on the blocker https://github.com/elastic/detection-rules/pull/4694
thank you @drummbelbummel for submitting the sample FP, after verification it appears like you are using an old version of the rule that we previously tuned, can you compare the...
@shashank-elastic any ideas on this update issue ?
@drummbelbummel Great, let me know if you don't see the same FPs, so we can close this issue.
Hi @mSALDANHAf you can add an endpoint exception https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions#endpoint-rule-exceptions : ``` rule.id is "3cd302aa-098b-4da6-bf20-8d37efe5f861" process.executable is ```
@clement-fouque sorry it was closed automatically, we will review this internally. Do you have example of logs ?
fyi @DefSecSentinel
@tyler-mcadam thank you for reporting this issue, indeed the not condition `not (process.name : ("winword.exe", "explorer.exe", "w3wp.exe", "Dism.exe")` will cause to miss if the binary is just moved to a...
> Am I supposed to close the issue or do you do it after merging? @tyler-mcadam once merged we will close it.