Skip to content

[Rule Tuning] Local Account TokenFilter Policy Disabled - alerts about Windows update #5756

New issue
New issue
Open
Open
[Rule Tuning] Local Account TokenFilter Policy Disabled - alerts about Windows update#5756
Assignees
w0rk3r
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity
@richlv

Description

@richlv
richlv
opened on Feb 22, 2026

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

This rule seems to alert about Windows update process (https://superuser.com/questions/1650577/what-is-mousocoreworker-exe-and-why-does-it-take-up-so-much-ram).

Potentially useful fields:
process.code_signature.exists true
process.code_signature.status trusted
process.code_signature.subject_name Microsoft Windows
process.code_signature.trusted true
process.executable C:\Windows\UUS\amd64\MoUsoCoreWorker.exe

Example Data

No response

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions