security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Network Rules Deprecate Beats Indices (#5932)

Browse Source 
* Remove packet and audit beat as they are type string for ips
This commit is contained in:
Eric Forte
2026-05-01 21:33:53 -04:00
committed by GitHub
parent aad0e4ed11
commit 435ec8115d
6 changed files with 82 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/network/command_and_control_port_26_activity.toml
+10 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2026/04/10"
updated_date = "2026/04/24"
[rule]
author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
index = ["logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "SMTP on Port 26/TCP"
@@ -29,7 +29,14 @@ references = [
risk_score = 21
rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
severity = "low"
tags = ["Tactic: Command and Control", "Tactic: Exfiltration", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
tags = ["Tactic: Command and Control",
"Tactic: Exfiltration",
"Domain: Endpoint",
"Use Case: Threat Detection",
"Data Source: PAN-OS",
"Data Source: Network Traffic",
"Resources: Investigation Guide"
]
timestamp_override = "event.ingested"
type = "query"
rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
+11 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2026/04/10"
updated_date = "2026/04/24"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
index = ["logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "RDP (Remote Desktop Protocol) from the Internet"
@@ -31,7 +31,15 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 47
rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
severity = "medium"
tags = ["Tactic: Command and Control", "Tactic: Lateral Movement", "Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
tags = ["Tactic: Command and Control",
"Tactic: Lateral Movement",
"Tactic: Initial Access",
"Domain: Endpoint",
"Use Case: Threat Detection",
"Data Source: PAN-OS",
"Data Source: Network Traffic",
"Resources: Investigation Guide"
]
timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
timeline_title = "Comprehensive Network Timeline"
timestamp_override = "event.ingested"
rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
+8 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2026/04/10"
updated_date = "2026/04/24"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
backdoor vector.
"""
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
index = ["logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "RPC (Remote Procedure Call) from the Internet"
@@ -21,7 +21,12 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
severity = "high"
tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
tags = ["Tactic: Initial Access",
"Domain: Endpoint",
"Use Case: Threat Detection",
"Data Source: PAN-OS",
"Resources: Investigation Guide"
]
timestamp_override = "event.ingested"
type = "query"
rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
+10 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2026/04/10"
updated_date = "2026/04/24"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
backdoor vector.
"""
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
index = ["logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "RPC (Remote Procedure Call) to the Internet"
@@ -21,7 +21,14 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
severity = "high"
tags = ["Tactic: Initial Access", "Tactic: Lateral Movement", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
tags = ["Tactic: Initial Access",
"Tactic: Lateral Movement",
"Domain: Endpoint",
"Use Case: Threat Detection",
"Data Source: PAN-OS",
"Data Source: Network Traffic",
"Resources: Investigation Guide"
]
timestamp_override = "event.ingested"
type = "query"
rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
+38 -38
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2026/04/10"
updated_date = "2026/04/24"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ systems. It should almost never be directly exposed to the Internet, as it is fr
threat actors as an initial access or backdoor vector or for data exfiltration.
"""
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
index = ["logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "SMB (Windows File Sharing) Activity to the Internet"
@@ -21,46 +21,46 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 47
rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
severity = "medium"
tags = ["Tactic: Initial Access", "Tactic: Exfiltration", "Domain: Network", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
tags = ["Tactic: Initial Access",
"Tactic: Exfiltration",
"Domain: Network",
"Use Case: Threat Detection",
"Data Source: PAN-OS",
"Data Source: Network Traffic",
"Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
network.transport:tcp and (destination.port:(139 or 445) or data_stream.dataset:zeek.smb) and
source.ip:(
10.0.0.0/8 or
172.16.0.0/12 or
192.168.0.0/16
) and
not destination.ip:(
10.0.0.0/8 or
127.0.0.0/8 or
169.254.0.0/16 or
172.16.0.0/12 or
192.0.0.0/24 or
192.0.0.0/29 or
192.0.0.8/32 or
192.0.0.9/32 or
192.0.0.10/32 or
192.0.0.170/32 or
192.0.0.171/32 or
192.0.2.0/24 or
192.31.196.0/24 or
192.52.193.0/24 or
192.168.0.0/16 or
192.88.99.0/24 or
224.0.0.0/4 or
100.64.0.0/10 or
192.175.48.0/24 or
198.18.0.0/15 or
198.51.100.0/24 or
203.0.113.0/24 or
240.0.0.0/4 or
"::1" or
"FE80::/10" or
"FF00::/8"
)
(data_stream.dataset:network_traffic.flow or event.category:(network or network_traffic))
and network.transport:tcp and destination.port:(139 or 445)
and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
and not destination.ip:(10.0.0.0/8
or 100.64.0.0/10
or 127.0.0.0/8
or 169.254.0.0/16
or 172.16.0.0/12
or 192.0.0.0/24
or 192.0.0.0/29
or 192.0.0.10/32
or 192.0.0.170/32
or 192.0.0.171/32
or 192.0.0.8/32
or 192.0.0.9/32
or 192.0.2.0/24
or 192.168.0.0/16
or 192.175.48.0/24
or 192.31.196.0/24
or 192.52.193.0/24
or 192.88.99.0/24
or 198.18.0.0/15
or 198.51.100.0/24
or 203.0.113.0/24
or 224.0.0.0/4
or 240.0.0.0/4
or "::1"
or "FE80::/10"
or "FF00::/8")
'''
note = """## Triage and analysis
rules/network/lateral_movement_dns_server_overflow.toml
+5 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/07/16"
integration = ["network_traffic"]
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2026/04/16"
updated_date = "2026/04/29"
[rule]
author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
authorized vulnerability scan or compromise assessment.
""",
]
index = ["packetbeat-*", "filebeat-*", "logs-network_traffic.*"]
index = ["logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "Abnormally Large DNS Response"
@@ -68,6 +68,8 @@ tags = [
"Tactic: Impact",
"Resources: Investigation Guide",
"Use Case: Vulnerability",
"Data Source: PAN-OS",
"Data Source: Network Traffic",
]
timestamp_override = "event.ingested"
type = "query"