Hello,
there's a lot of false positives from "Potential Antimalware Scan Interface Bypass via PowerShell". Some of the rules i could find an exception as the script location was part of the message. In this case i could only make an exception for the wholw machine. The script in the message is varying.
Any idea how to solve this ?
Hi @GKre, you can open a Tune Existing Rule issue here in with a sample event (you can strip off private information such as host and user information etc.) and we can take a looks at it and push a tuning.
For this specific rule we usually use powershell.file.script_block_text to tune false positives (if file path is missing) like this exception here detection-rules/rules/windows/defense_evasion_amsi_bypass_powershell.toml at bfca0ea4142cb29321ddfc30412963db4e599333 · elastic/detection-rules · GitHub
Thank you Samir,
i opened up an issue #4752
The issue could be fixed by "rule update". It was more or less a lack of knowledge tht the rules need to be updated manually. After updating the rules there's much less alerts and they seem to be more precise. Thanks for the real good support to @Samir_Bousseaden
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.