Description
Link to Rule
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
When OneDrive starts up, it triggers an alert. To remove false positives, add the following exclusion to the existing rule:
\\OneDrive Startup Task-S-1-5-21*
The next part is not necessary to make the rule work but might be worth looking into:
The required field winlog.event_data.TaskName needs to be updated. It is currently reported as unknown. Setting it as a keyword removes the error:
Example Data
Suggested solution:
query = '''
iam where event.action == "scheduled-task-updated" and
/* excluding tasks created by the computer account /
not user.name : "$" and
not winlog.event_data.TaskName : "Microsoft" and
not winlog.event_data.TaskName :
("\User_Feed_Synchronization-",
"\OneDrive Startup Task-S-1-5-21",
"\OneDrive Reporting Task-S-1-5-21*",
"\OneDrive Reporting Task-S-1-12-1-",
"\Hewlett-Packard\HP Web Products Detection",
"\Hewlett-Packard\HPDeviceCheck",
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant",
"\IpamDnsProvisioning",
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantAllUsersRun",
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun",
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun",
"\Microsoft\Windows\.NET Framework\.NET Framework NGEN v",
"\Microsoft\VisualStudio\Updates\BackgroundDownload") and
not winlog.event_data.SubjectUserSid : ("S-1-5-18", "S-1-5-19", "S-1-5-20")
'''
winlog.event_data.TaskName set to keyword:
