From 6153c115a718e285bd4bf9a2e794a1332ac40d8b Mon Sep 17 00:00:00 2001
From: JocLRojas <joc.l.rojas02@gmail.com>
Date: Thu, 21 May 2026 15:07:09 +0300
Subject: [PATCH 1/4] refactor(filters): update macOS filter configuration

---
 filters/macos/macos.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/filters/macos/macos.yml b/filters/macos/macos.yml
index 1bdc6e3e9..35eb41559 100644
--- a/filters/macos/macos.yml
+++ b/filters/macos/macos.yml
@@ -25,4 +25,8 @@ pipeline:
       - rename:
           from:
             - log.threadidentifier
-          to: log.threadIdentifier
\ No newline at end of file
+          to: log.threadIdentifier
+
+      # Drop unnecessary events
+      - drop:
+          where: equals("log.level", "notice") && contains("log.subsystem", "com.apple.cloudkit") || contains("log.subsystem", "com.apple.CoreDuet") || oneOf("log.subsystem", ["com.apple.apsd", "com.apple.bluetooth", "com.apple.SkyLight", "com.apple.mDNSResponder", "com.apple.homed", "com.apple.identityservicesd", "com.apple.powerlogd", "com.apple.analyticsd", "com.apple.UIKit", "com.apple.runningboard", "com.apple.WiFiManager", "com.apple.xpc", "com.apple.cache_delete", "com.apple.spotlightindex"])
\ No newline at end of file

From 5237280d13600535578717f9d46b5c057e0035d8 Mon Sep 17 00:00:00 2001
From: JocLRojas <joc.l.rojas02@gmail.com>
Date: Thu, 21 May 2026 15:07:53 +0300
Subject: [PATCH 2/4] chore(rules): remove Office365 brute force detection rule

---
 ...t_365_brute_force_user_account_attempt.yml | 30 -------------------
 1 file changed, 30 deletions(-)
 delete mode 100644 rules/office365/credential_access_microsoft_365_brute_force_user_account_attempt.yml

diff --git a/rules/office365/credential_access_microsoft_365_brute_force_user_account_attempt.yml b/rules/office365/credential_access_microsoft_365_brute_force_user_account_attempt.yml
deleted file mode 100644
index 0480cfc14..000000000
--- a/rules/office365/credential_access_microsoft_365_brute_force_user_account_attempt.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-# Rule version v1.0.3
-
-dataTypes:
-  - "o365"
-name: "Attempts to Brute Force a Microsoft 365 User Account"
-impact:
-  confidentiality: 3
-  integrity: 3
-  availability: 3
-category: "Credential Access"
-technique: "T1110 - Brute Force"
-adversary: origin
-references: 
-  - "https://attack.mitre.org/techniques/T1110/"
-  - "https://attack.mitre.org/tactics/TA0006/"
-description: "Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.<br>
-  Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts."
-where: |
-  oneOf("log.Workload", ["Exchange", "AzureActiveDirectory"]) && oneOf("action", ["UserLoginFailed", "PasswordLogonInitialAuthUsingPassword"]) && oneOf("actionResult", ["Failed", "False"]) && exists("origin.user")
-afterEvents:
-  - indexPattern: v11-log-o365-*
-    with:
-      - field: origin.user
-        operator: filter_term
-        value: '{{.origin.user}}'
-    within: now-60s
-    count: 5
-groupBy:
-  - adversary.ip
-  - adversary.user

From baaa058c1840bd4671bd8dd1ac9cefd86245e029 Mon Sep 17 00:00:00 2001
From: JocLRojas <joc.l.rojas02@gmail.com>
Date: Thu, 21 May 2026 15:08:30 +0300
Subject: [PATCH 3/4] chore(rules): remove PowerShell Empire detection rule

---
 rules/windows/powershell_empire_detection.yml | 48 -------------------
 1 file changed, 48 deletions(-)
 delete mode 100644 rules/windows/powershell_empire_detection.yml

diff --git a/rules/windows/powershell_empire_detection.yml b/rules/windows/powershell_empire_detection.yml
deleted file mode 100644
index 7ce3ca73f..000000000
--- a/rules/windows/powershell_empire_detection.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-# Rule version v1.0.0
-
-dataTypes:
-  - wineventlog
-name: PowerShell Empire Detection
-impact:
-  confidentiality: 3
-  integrity: 3
-  availability: 2
-category: Execution
-technique: "T1059.001 - Command and Scripting Interpreter: PowerShell"
-adversary: origin
-references:
-  - https://attack.mitre.org/techniques/T1059/001/
-  - https://www.powershellempire.com/
-  - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging
-description: |
-  Detects potential PowerShell Empire framework usage based on characteristic command patterns, obfuscation techniques, and encoded payloads commonly used by this post-exploitation framework. PowerShell Empire is a post-exploitation framework that uses PowerShell and Python agents to maintain persistence and execute commands on compromised systems.
-  
-  Next Steps:
-  1. Immediately isolate the affected host to prevent lateral movement
-  2. Analyze the complete PowerShell script block content for additional IOCs
-  3. Check for persistence mechanisms (scheduled tasks, registry entries, services)
-  4. Review network connections from the host for C2 communication
-  5. Examine process tree and parent processes that spawned PowerShell
-  6. Search for additional Empire artifacts across the environment
-  7. Reset credentials for any accounts used on the compromised system
-  8. Conduct memory analysis to identify injected code or payloads
-  9. Review recent user activity and file access patterns
-  10. Update endpoint detection rules based on specific Empire techniques observed
-where: |
-  (equals("log.eventCode", "4104") || equals("log.eventId", 4104)) &&
-  equals("log.providerName", "Microsoft-Windows-PowerShell") &&
-  (
-    contains("log.eventDataScriptBlockText", "System.Management.Automation.AmsiUtils") ||
-    regexMatch("log.eventDataScriptBlockText", "(?i)(empire|invoke-empire|invoke-psempire)") ||
-    regexMatch("log.eventDataScriptBlockText", "(?i)\\[System\\.Convert\\]::FromBase64String") ||
-    regexMatch("log.eventDataScriptBlockText", "(?i)IEX\\s*\\(\\s*New-Object") ||
-    regexMatch("log.eventDataScriptBlockText", "(?i)-enc\\s+[A-Za-z0-9+/=]{100,}") ||
-    regexMatch("log.eventDataScriptBlockText", "(?i)\\$DoIt\\s*=\\s*@") ||
-    regexMatch("log.eventDataScriptBlockText", "(?i)\\[System\\.Text\\.Encoding\\]::Unicode\\.GetString") ||
-    contains("log.eventDataScriptBlockText", "Invoke-Shellcode") ||
-    contains("log.eventDataScriptBlockText", "Invoke-ReflectivePEInjection") ||
-    contains("log.eventDataScriptBlockText", "Invoke-Mimikatz")
-  )
-groupBy:
-  - origin.host
-  - target.user

From c31950a80c572070509378ceccd3cd5e896ea254 Mon Sep 17 00:00:00 2001
From: JocLRojas <joc.l.rojas02@gmail.com>
Date: Thu, 21 May 2026 15:09:18 +0300
Subject: [PATCH 4/4] chore(rules): remove RDP brute force attacks rule

---
 rules/windows/rdp_brute_force_attacks.yml | 44 -----------------------
 1 file changed, 44 deletions(-)
 delete mode 100644 rules/windows/rdp_brute_force_attacks.yml

diff --git a/rules/windows/rdp_brute_force_attacks.yml b/rules/windows/rdp_brute_force_attacks.yml
deleted file mode 100644
index 9161a68b9..000000000
--- a/rules/windows/rdp_brute_force_attacks.yml
+++ /dev/null
@@ -1,44 +0,0 @@
-# Rule version v1.0.0
-
-dataTypes:
-  - wineventlog
-name: RDP Brute Force Attack
-impact:
-  confidentiality: 3
-  integrity: 2
-  availability: 2
-category: Credential Access
-technique: "T1110.001 - Brute Force: Password Guessing"
-adversary: origin
-references:
-  - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
-  - https://attack.mitre.org/techniques/T1110/001/
-description: |
-  Detects multiple failed RDP login attempts from the same source IP address, indicating a potential brute force attack. This rule monitors Windows Event ID 4625 (failed logon) with focus on network logon types (type 3) which are commonly used for RDP connections. The rule triggers when 10 or more failed attempts occur from the same IP within 15 minutes.
-  
-  Next Steps:
-  1. Investigate the source IP address for malicious indicators and geolocation
-  2. Check if the targeted user accounts are legitimate and active
-  3. Review successful logons from the same IP after failed attempts
-  4. Implement IP blocking or rate limiting for the source address
-  5. Enable account lockout policies if not already configured
-  6. Consider implementing multi-factor authentication for RDP access
-  7. Review RDP access logs for any successful connections during the attack timeframe
-where: equals("log.eventCode", "4625") && equals("log.eventDataLogonType", "3") && exists("origin.ip") && !equals("origin.ip", "-") && !equals("origin.ip", "::1") && !equals("origin.ip", "127.0.0.1")
-afterEvents:
-  - indexPattern: v11-log-wineventlog-*
-    with:
-      - field: origin.ip.keyword
-        operator: filter_term
-        value: '{{.origin.ip}}'
-      - field: log.eventCode
-        operator: filter_term
-        value: '4625'
-      - field: log.eventDataLogonType
-        operator: filter_term
-        value: '3'
-    within: now-15m
-    count: 10
-groupBy:
-  - origin.ip
-  - target.host