[Rule Tuning] Enumeration of Administrator Accounts

[soc-sinstar]

Link to Rule

https://github.com/elastic/detection-rules/blob/5155f47b86a44ee8ba157edf9a802a77fba42250/rta/enum_commands.py

Rule Tuning Type

None

Description

The rule fails with this error

An error occurred during rule execution: message: "verification_exception
Root causes:
verification_exception: Found 1 problem
line 8:5: Unknown column [process.args], did you mean any of [process.name, process.name.text, process.parent.name]?"

I believe that the issue is that the index pattern list includes logs-system.security*, however this index does not know the field process.args
As I am using both the Windows and System integration, the rule fails because of the latter.

I suggest to remove logs-system.security* from the index pattern list.

Example Data

[mbudge]

[w0rk3r]

Hey @soc-sinstar, this rule is compatible with the data source mentioned, but it seems that you are not logging the command line in process creation events.

We are making some improvements on the documentation of how to set audit policies for these rules, here is one of these PRs: #4501. In the near future, we will also specify the audit policies that need to be enabled in the rules setup guides. For now, you can check this for more information on how to enable it.

(And thanks @mbudge)