Skip to content

[Rule Tuning] Suspicious Endpoint Security Parent Process - Wrong or missing SecurityHealthHost path #4746

New issue
New issue
Open
Open
[Rule Tuning] Suspicious Endpoint Security Parent Process - Wrong or missing SecurityHealthHost path#4746
Assignees
w0rk3r
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity
@willemdh

Description

@willemdh
willemdh
opened on May 25, 2025

Link to Rule

https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

On my Windows 11, I get false positives for the rule "Suspicious Endpoint Security Parent Process" when parent process C:\Windows\System32\SecurityHealth\10.0.27777.1008-0\SecurityHealthHost.exe starts C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe.

There is a builtin exception in the rule defintion, but it seems another SecurityHealthHost.exe

?:\\Windows\\System32\\SecurityHealth\\*\\SecurityHealthHost.exe should be added it seems?

Example Data

Sanitized alert:

{
  "alert": {
    "rule_name": "Suspicious Endpoint Security Parent Process",
    "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a",
    "severity": "medium",
    "risk_score": 47,
    "timestamp": "2025-05-16T05:46:45.566Z",
    "reason": "process event with process elastic-endpoint.exe, parent process SecurityHealthHost.exe"
  },
  "process": {
    "name": "elastic-endpoint.exe",
    "executable": "C:\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe",
    "args": [
      "C:\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe",
      "/launch",
      "/av"
    ],
    "command_line": "\"C:\\Program Files\\Elastic\\Endpoint\\elastic-endpoint.exe\" /launch /av",
    "pid": 16100,
    "code_signature": {
      "subject_name": "Elasticsearch, Inc.",
      "trusted": true
    }
  },
  "parent_process": {
    "name": "SecurityHealthHost.exe",
    "executable": "C:\\Windows\\System32\\SecurityHealth\\10.0.27777.1008-0\\SecurityHealthHost.exe",
    "command_line": "\\\\?\\C:\\Windows\\System32\\SecurityHealth\\10.0.27777.1008-0\\SecurityHealthHost.exe {GUID} -Embedding",
    "pid": 16056,
    "code_signature": {
      "subject_name": "Microsoft Windows",
      "trusted": true
    }
  },
  "host": {
    "os": "Windows 11 Pro 23H2 (10.0.22631.5335)",
    "hostname": "host123.example.local"
  },
  "user": {
    "name": "analyst_user"
  },
  "agent": {
    "id": "f55431af-4658-40c3-968d-390a008d989b",
    "version": "9.0.1",
    "type": "endpoint"
  },
  "event": {
    "action": "start",
    "module": "endpoint",
    "category": ["process"],
    "kind": "signal",
    "dataset": "endpoint.events.process",
    "id": "O0PEbmhugbsqw+kV++++5el3"
  }
}

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions