yes. I know I can do that. I used Splunk since 2005 and Elastic since Logstash came out. I have no doubts regarding the possibility to make a rule for an event.
Likely this is a MAPS event, from the examples probably none would match since it was not a malware being handled, just a suspicious file.
From a past incident I remember that the main issue with Defender (1006/1007) is that they have very delayed logging.
I think the current bluehammer etc. Defender exploits would show up as a 1117 and potential 1119. for example
If I make a ruleset for it and find how to trigger a suspicious file upload for testing it well, i'll also make a PR. It's not high on my prio list though.
I was just trying to make clear that there's a functional gap in the existing default rule sets, right where EVERY product eval being done would look.
I see no benefit in leaving low hanging fruit as a "yeah but you can add that". Especially since baselining is where the main weaknesses are compared to other commercial products in the same range.
But I think I tried often enough now, either someone in PM scribbles a note or noone does 