7fd164ba-126a-4d9c-9392-0d4f7c243df0 should not alert on onenote application itself #4451
Labels
False-Positive
Issue reporting a false positive with one of the rules
Comments
nekopep
added
the
False-Positive
|
When I originally wrote the rule, I didn't add onenote for a reason. Unfortunately, I forgot why and can't seem to find it in my notes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rule UUID
7fd164ba-126a-4d9c-9392-0d4f7c243df0
Example EventLog
Process name ONENOTE.EXE (pid=9264)
Image name C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
Command-line C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE
Execution Detected
Current directory C:\windows\System32
Process Create Time 2023/09/19 09:49:21.844
Size 2183064 (2.08 MiB)
MD5 33cfc5f3499b2bb5a31a6bb6c7ead777
SHA1 24d63a814087fc454cf7adfdc178fba8e5e40922
SHA256 3cf3b6e328da207d05cb1f43b6165a8723d8b5f3ca97873cafa542f55763241e
IMPHASH 76DA2949E887EAD30D90E21A69AD1A35
PE timestamp 2023-08-01 00:50:53Z
Signed Authenticode
Signer name Microsoft Corporation
Root CA name Microsoft Root Certificate Authority 2011
Company name Microsoft Corporation
File Description Microsoft OneNote
File version 16.0.10401.20025
Internal name OneNote
Legal copyright Original filename
OneNote.exe Product name
Microsoft OneNote Product version 16.0.10401.20025
Description
target_filename
C:\Users\xxxxxxxx\AppData\Local\Temp\OneNote Archive\xxxxxxx
I propose (but not sure :) ) this rule is ok to whitelist ONENOTE process itself.
The text was updated successfully, but these errors were encountered: