[Rule Tuning] Unusual File Creation - Alternate Data Stream - WinMerge

### Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_unusual_ads_file_creation.toml

### Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

### Description

[WinMerge](https://winmerge.org) is detected as using ADS: `<file>:sec.endpointdlp:$DATA`.
As it's signed, it might be worth excluding it from the rule.

process.code_signature.exists	true
process.code_signature.status	trusted
process.code_signature.subject_name	Takashi Sawanaka
process.code_signature.trusted	true
process.executable	C:\Program Files\WinMerge\WinMergeU.exe

### Example Data

_No response_

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Rule Tuning] Unusual File Creation - Alternate Data Stream - WinMerge #4764

Link to Rule

Rule Tuning Type

Description

Example Data

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Rule Tuning] Unusual File Creation - Alternate Data Stream - WinMerge #4764

Description

Link to Rule

Rule Tuning Type

Description

Example Data

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions