[Tuning] Top Noisy Windows BBR

rules_building_block/discovery_generic_process_discovery.toml

@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2023/07/13"
 integration = ["endpoint", "windows", "system"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,6 @@ enumerate processes to identify installed applications and security solutions.
 """
 from = "now-9m"
 index = [
-    "endgame-*",
     "logs-endpoint.events.process-*",
     "logs-system.security*",
     "logs-windows.*",
@@ -33,21 +32,27 @@ tags = [
     "Tactic: Discovery",
     "Rule Type: BBR",
     "Data Source: Elastic Defend",
-    "Data Source: Elastic Endgame",
     "Data Source: Windows Security Event Logs",
 ]
 timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "windows" and event.type == "start" and process.args != null and
+process where host.os.type == "windows" and event.type == "start" and process.args != null and 
+  not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and process.parent.executable != null and
   (
-    process.name :("PsList.exe", "qprocess.exe") or 
-   (process.name : "powershell.exe" and process.args : ("*get-process*", "*Win32_Process*")) or 
-   (process.name : "wmic.exe" and process.args : ("process", "*Win32_Process*")) or
-   (process.name : "tasklist.exe" and not process.args : ("pid eq*")) or
-   (process.name : "query.exe" and process.args : "process")
-  ) and not user.id : "S-1-5-18"
+   process.name :("PsList.exe", "qprocess.exe") or
+
+   (process.name : "powershell.exe" and process.args : ("*get-process*", "*Win32_Process*") and not process.parent.name in ("openaev-agent.exe", "cmd.exe", "Miro.exe", "Granola.exe", "Wispr Flow.exe")) or
+
+   (process.name : "wmic.exe" and process.args : ("process", "*Win32_Process*") and not process.parent.name in ("Code.exe", "node.exe", "javaw.exe", "java.exe", "asus_framework.exe", "Evernote.exe", "RingCentral.exe", "Avaya Cloud.exe", "Arduino IDE.exe")) or
+
+   (process.name : "tasklist.exe" and process.args_count == 1 and process.parent.args != "tasklist | findstr consent.exe") or
+
+   (process.name : "query.exe" and process.args : ("process", "imagename*", "csv", "/fi"))
+  ) and
+  not process.working_directory like ("?:\\Program Files*", "D:\\*", "E:\\*") and
+  not process.parent.executable like ("?:\\Program Files (x86)\\*.exe", "?:\\Program Files\\*.exe")
 '''
 
 

rules_building_block/discovery_system_service_discovery.toml

@@ -3,7 +3,7 @@ bypass_bbr_timing = true
 creation_date = "2023/01/24"
 integration = ["windows", "endpoint", "system"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/12/17"
 
 [rule]
 author = ["Elastic"]
@@ -41,14 +41,30 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "windows" and event.type == "start" and
+process where host.os.type == "windows" and event.type == "start" and process.parent.executable != null and
   (
   ((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and 
-    not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or
-  ((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*")) or
-  ((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc") or
+    not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2 and
+    not process.parent.args : ("*.bat", "*netlogon*", "\\\\*")) or
+  ((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*") and not process.parent.args : "*.bat") or
+  ((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc" and not process.command_line : "*\\Windows\\TEMP\\nessus_task_list*") or
   (process.name : "psservice.exe" or process.pe.original_file_name == "psservice.exe")
-  ) and not user.id : "S-1-5-18"
+  ) and
+  not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
+  not process.parent.executable in
+                       ("C:\\Program Files\\AzureConnectedMachineAgent\\himds.exe",
+                        "C:\\Program Files\\AzureConnectedMachineAgent\\azcmagent.exe",
+                        "C:\\Program Files\\Varian\\DICOMServices\\VMS.DICOMServices.ServiceFW.GenericControlledServiceHost.exe",
+                        "C:\\Senior\\HCM\\jdk-11.0.2\\bin\\java.exe",
+                        "D:\\biomerieux\\programs\\ServiceMonitor\\bin\\MylaServiceMonitor.exe",
+                        "C:\\ViewPowerPro\\openJDK\\bin\\javaw.exe",
+                        "C:\\ServiceNow MID Server mid-server-autosports-prod\\agent\\jre\\bin\\java.exe") and
+  not process.command_line in ("sc  queryex SCardSvr",
+                               "sc  query \"Axway_Integrator\" ",
+                               "sc  query \"Delta enteliVAULT PostgreSQL\" ",
+                               "sc  query \"WERMA-WIN-Connector\" ",
+                               "sc  query _EWSSynchronizationServer_JDE ",
+                               "sc query SchneiderUPSMySQL")
 '''