++

rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

@@ -32,16 +32,15 @@ Malicious behavior protection is a foundational feature which can be used to pro
 ### Possible investigation steps
 
 - Assess whether this activity is prevalent in your environment by looking for similar occurrences across hosts.
-- Verify the detailed activity of the process that triggered the alert (process tree, child process, process.command_line, network, files, libraries and registry events).
+- Verify the detailed activity of the process that triggered the alert (process tree, child process, process arguments, network, files, libraries and registry events).
 - Verify the activity of the `user.name` associated with the alert (local or remote actity, privileged or standard user).
-- Particular attention should be paid to instances where the same process is triggering multiple alerts (more than 2) within a short timespan.
-- Even the the process is signed by valid certificate, verify the if it's running from the expected location, and if it's loading any suspicious libraries.
-
+- Particular attention should be paid to instances where the same process is triggering multiple alerts (more than 2 or 3) within a short period of time.
+- Even the the process is signed by a valid certificate, verify the if it's running from the expected location or if it's loading any suspicious libraries or any sign of code injection.
 
 ### False positive analysis
 
-- Same alert details are observed on multiple hosts and this activity is associated to some legit administration activity.
-
+- Same alert observed on a high number of hosts with similar details.
+- High count of the same alert on a specific host over a long period of time.
 
 ### Response and Remediation
 

rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

@@ -32,15 +32,16 @@ Malicious behavior protection is a foundational feature which can be used to pro
 ### Possible investigation steps
 
 - Assess whether this activity is prevalent in your environment by looking for similar occurrences across hosts.
-- Verify the detailed activity of the process that triggered the alert (process tree, child process, process.command_line, network, files, libraries and registry events).
+- Verify the detailed activity of the process that triggered the alert (process tree, child process, process arguments, network, files, libraries and registry events).
 - Verify the activity of the `user.name` associated with the alert (local or remote actity, privileged or standard user).
-- Particular attention should be paid to instances where the same process is triggering multiple alerts (more than 2) within a short timespan.
-- Even the the process is signed by valid certificate, verify the if it's running from the expected location, and if it's loading any suspicious libraries.
+- Particular attention should be paid to instances where the same process is triggering multiple alerts (more than 2 or 3) within a short period of time.
+- Even the the process is signed by a valid certificate, verify the if it's running from the expected location or if it's loading any suspicious libraries or any sign of code injection.
 
 
 ### False positive analysis
 
-- Same alert details are observed on multiple hosts and this activity is associated to some legit administration activity.
+- Same alert observed on a high number of hosts with similar details.
+- High count of the same alert on a specific host over a long period of time.
 
 
 ### Response and Remediation