Skip to content

[Tuning] Outbound Scheduled Task Activity via PowerShell #5287

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Tuning] Outbound Scheduled Task Activity via PowerShell #5287

wants to merge 1 commit into from
+2 −2

Conversation

@Samirbous
Copy link
Contributor

@Samirbous Samirbous commented Nov 6, 2025
edited
Loading

#5286

Verified cidrmatch on destination.ip works on both integrations (endpoint and sysmon):

destination.ip is of type IP and there is no destination.address of type keyword in sysmon: https://www.elastic.co/docs/reference/integrations/windows#metrics-reference

image

That's the only rule I can see with sysmon and using destination.address https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+destination.address+AND+%22logs-windows.sysmon%22+path%3A%2F%5Erules%5C%2Fwindows%5C%2F%2F&type=code

@Samirbous
[Tuning] Outbound Scheduled Task Activity via PowerShell
a42faa6 
#5286

Verified cidrmatch on destination.ip works on both integrations (endpoint and sysmon):
@Samirbous Samirbous added bug Something isn't working Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules Integration: Windows labels Nov 6, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025

Bug - Guidelines

These guidelines serve as a reminder set of considerations when addressing a bug in the code.

Documentation and Context

  • Provide detailed documentation (description, screenshots, reproducing the bug, etc.) of the bug if not already documented in an issue.
  • Include additional context or details about the problem.
  • Ensure the fix includes necessary updates to the release documentation and versioning.

Code Standards and Practices

  • Code follows established design patterns within the repo and avoids duplication.
  • Ensure that the code is modular and reusable where applicable.

Testing

  • New unit tests have been added to cover the bug fix or edge cases.
  • Existing unit tests have been updated to reflect the changes.
  • Provide evidence of testing and detecting the bug fix (e.g., test logs, screenshots).
  • Validate that any rules affected by the bug are correctly updated.
  • Ensure that performance is not negatively impacted by the changes.
  • Verify that any release artifacts are properly generated and tested.
  • Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

  • Verify that the bug fix works across all relevant environments (e.g., different OS versions).
  • Confirm that the proper version label is applied to the PR patch, minor, major.

@tradebot-elastic
Copy link

tradebot-elastic commented Nov 6, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Outbound Scheduled Task Activity via PowerShell (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

backport: auto bug Something isn't working Domain: Endpoint Integration: Windows OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Samirbous @tradebot-elastic