From 2d65d083202bcfa20e07a0f0751b85fb50f43ac5 Mon Sep 17 00:00:00 2001
From: Samirbous <Samir.Bousseaden@elastic.co>
Date: Wed, 18 Dec 2024 09:00:14 +0000
Subject: [PATCH] ++

---
 .../elastic_endpoint_security_behavior_detected.toml  | 11 +++++------
 .../elastic_endpoint_security_behavior_prevented.toml |  9 +++++----
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
index 31f236fa7db..a2c6958dfd4 100644
--- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
+++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
@@ -32,16 +32,15 @@ Malicious behavior protection is a foundational feature which can be used to pro
 ### Possible investigation steps
 
 - Assess whether this activity is prevalent in your environment by looking for similar occurrences across hosts.
-- Verify the detailed activity of the process that triggered the alert (process tree, child process, process.command_line, network, files, libraries and registry events).
+- Verify the detailed activity of the process that triggered the alert (process tree, child process, process arguments, network, files, libraries and registry events).
 - Verify the activity of the `user.name` associated with the alert (local or remote actity, privileged or standard user).
-- Particular attention should be paid to instances where the same process is triggering multiple alerts (more than 2) within a short timespan.
-- Even the the process is signed by valid certificate, verify the if it's running from the expected location, and if it's loading any suspicious libraries.
-
+- Particular attention should be paid to instances where the same process is triggering multiple alerts (more than 2 or 3) within a short period of time.
+- Even the the process is signed by a valid certificate, verify the if it's running from the expected location or if it's loading any suspicious libraries or any sign of code injection.
 
 ### False positive analysis
 
-- Same alert details are observed on multiple hosts and this activity is associated to some legit administration activity.
-
+- Same alert observed on a high number of hosts with similar details.
+- High count of the same alert on a specific host over a long period of time.
 
 ### Response and Remediation
 
diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
index 4a20ade2f6d..1e0722f914b 100644
--- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
+++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
@@ -32,15 +32,16 @@ Malicious behavior protection is a foundational feature which can be used to pro
 ### Possible investigation steps
 
 - Assess whether this activity is prevalent in your environment by looking for similar occurrences across hosts.
-- Verify the detailed activity of the process that triggered the alert (process tree, child process, process.command_line, network, files, libraries and registry events).
+- Verify the detailed activity of the process that triggered the alert (process tree, child process, process arguments, network, files, libraries and registry events).
 - Verify the activity of the `user.name` associated with the alert (local or remote actity, privileged or standard user).
-- Particular attention should be paid to instances where the same process is triggering multiple alerts (more than 2) within a short timespan.
-- Even the the process is signed by valid certificate, verify the if it's running from the expected location, and if it's loading any suspicious libraries.
+- Particular attention should be paid to instances where the same process is triggering multiple alerts (more than 2 or 3) within a short period of time.
+- Even the the process is signed by a valid certificate, verify the if it's running from the expected location or if it's loading any suspicious libraries or any sign of code injection.
 
 
 ### False positive analysis
 
-- Same alert details are observed on multiple hosts and this activity is associated to some legit administration activity.
+- Same alert observed on a high number of hosts with similar details.
+- High count of the same alert on a specific host over a long period of time.
 
 
 ### Response and Remediation