Skip to content

[Rule Tuning] Component Object Model Hijacking - alerts about Slack, Spotify #5804

Closed
#5858
Closed
[Rule Tuning] Component Object Model Hijacking - alerts about Slack, Spotify#5804
#5858
Assignees
w0rk3r
Labels
Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity
@richlv

Description

@richlv
richlv
opened on Mar 2, 2026

Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/windows/persistence_suspicious_com_hijack_registry.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

Component Object Model Hijacking alerts about Slack, Spotify.
Potentially useful fields/values:

process.code_signature.subject_name Slack Technologies, LLC
process.code_signature.subject_name Spotify AB

Example Data

No response

Metadata

Metadata

Assignees

Labels

Rule: Tuningtweaking or tuning an existing ruleTeam: TRADEcommunity

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions