The Problem
Rules that are based off powershell like Disabling Windows Defender Security Settings via PowerShell
and Windows Firewall Disabled via PowerShell
are not giving alerts back.
Windows Firewall Disabled via PowerShell | Elastic Security Solution [8.6] | Elastic
These are the query's those rules filter on they use the process.args field to filter on commands
process where event.type == "start" and (process.name :
("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
process.pe.original_file_name in ("powershell.exe", "pwsh.dll",
"powershell_ise.exe")) and process.args : "Set-MpPreference" and
process.args : ("-Disable*", "Disabled", "NeverSend", "-Exclusion*")
process where event.action == "start" and (process.name :
("powershell.exe", "pwsh.exe", "powershell_ise.exe") or
process.pe.original_file_name == "PowerShell.EXE") and process.args
: "*Set-NetFirewallProfile*" and (process.args : "*-Enabled*" and
process.args : "*False*") and (process.args : "*-All*" or
process.args : ("*Public*", "*Domain*", "*Private*"))
Most of the powershell.exe
args are empty and the rules check on the args.
The operational logs of powershell seem to have the data I need
To grab this data into elastic I will need a custom windows log integration
Does not use the process.args field
Anyone that has an idea what I am doing wrong here?
I could edit the rule to filter on winlog.event_data.ScriptBlockText but I would like to know why the process.args field isn't working