From 435ec8115d73af1a5d81bfbdac70c6c9a2ce81be Mon Sep 17 00:00:00 2001
From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Date: Fri, 1 May 2026 21:33:53 -0400
Subject: [PATCH] [Rule Tuning] Network Rules Deprecate Beats Indices  (#5932)

* Remove packet and audit beat as they are type string for ips
---
 .../command_and_control_port_26_activity.toml | 13 +++-
 ...te_desktop_protocol_from_the_internet.toml | 14 +++-
 ...mote_procedure_call_from_the_internet.toml | 11 ++-
 ...remote_procedure_call_to_the_internet.toml | 13 +++-
 ...file_sharing_activity_to_the_internet.toml | 76 +++++++++----------
 .../lateral_movement_dns_server_overflow.toml |  8 +-
 6 files changed, 82 insertions(+), 53 deletions(-)

diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml
index a5ddf13d3..fb52d34a9 100644
--- a/rules/network/command_and_control_port_26_activity.toml
+++ b/rules/network/command_and_control_port_26_activity.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/04/24"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "SMTP on Port 26/TCP"
@@ -29,7 +29,14 @@ references = [
 risk_score = 21
 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
 severity = "low"
-tags = ["Tactic: Command and Control", "Tactic: Exfiltration", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
+tags = ["Tactic: Command and Control",
+        "Tactic: Exfiltration",
+        "Domain: Endpoint",
+        "Use Case: Threat Detection",
+        "Data Source: PAN-OS",
+        "Data Source: Network Traffic",
+        "Resources: Investigation Guide"
+]
 timestamp_override = "event.ingested"
 type = "query"
 
diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
index 2d2c5b59e..92938711d 100644
--- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
+++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/04/24"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ false_positives = [
     """,
 ]
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "RDP (Remote Desktop Protocol) from the Internet"
@@ -31,7 +31,15 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
 risk_score = 47
 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
 severity = "medium"
-tags = ["Tactic: Command and Control", "Tactic: Lateral Movement", "Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
+tags = ["Tactic: Command and Control",
+    "Tactic: Lateral Movement",
+    "Tactic: Initial Access",
+    "Domain: Endpoint",
+    "Use Case: Threat Detection",
+    "Data Source: PAN-OS",
+    "Data Source: Network Traffic",
+    "Resources: Investigation Guide"
+]
 timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
 timeline_title = "Comprehensive Network Timeline"
 timestamp_override = "event.ingested"
diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
index d2d20b900..ae2776bbb 100644
--- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
+++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/04/24"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
 backdoor vector.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "RPC (Remote Procedure Call) from the Internet"
@@ -21,7 +21,12 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
 risk_score = 73
 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
 severity = "high"
-tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
+tags = ["Tactic: Initial Access",
+        "Domain: Endpoint",
+        "Use Case: Threat Detection",
+        "Data Source: PAN-OS",
+        "Resources: Investigation Guide"
+]
 timestamp_override = "event.ingested"
 type = "query"
 
diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
index a1e90e348..b4f35d511 100644
--- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
+++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/04/24"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
 backdoor vector.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "RPC (Remote Procedure Call) to the Internet"
@@ -21,7 +21,14 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
 risk_score = 73
 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
 severity = "high"
-tags = ["Tactic: Initial Access", "Tactic: Lateral Movement", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
+tags = ["Tactic: Initial Access",
+    "Tactic: Lateral Movement",
+    "Domain: Endpoint",
+    "Use Case: Threat Detection",
+    "Data Source: PAN-OS",
+    "Data Source: Network Traffic",
+    "Resources: Investigation Guide"
+]
 timestamp_override = "event.ingested"
 type = "query"
 
diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
index 585afd172..695588f78 100644
--- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
+++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/02/18"
 integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2026/04/10"
+updated_date = "2026/04/24"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ systems. It should almost never be directly exposed to the Internet, as it is fr
 threat actors as an initial access or backdoor vector or for data exfiltration.
 """
 from = "now-9m"
-index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
+index = ["logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "SMB (Windows File Sharing) Activity to the Internet"
@@ -21,46 +21,46 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
 risk_score = 47
 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
 severity = "medium"
-tags = ["Tactic: Initial Access", "Tactic: Exfiltration", "Domain: Network", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
+tags = ["Tactic: Initial Access",
+        "Tactic: Exfiltration",
+        "Domain: Network",
+        "Use Case: Threat Detection",
+        "Data Source: PAN-OS",
+        "Data Source: Network Traffic",
+        "Resources: Investigation Guide"]
 timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-(data_stream.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
-  network.transport:tcp and (destination.port:(139 or 445) or data_stream.dataset:zeek.smb) and
-  source.ip:(
-    10.0.0.0/8 or
-    172.16.0.0/12 or
-    192.168.0.0/16
-  ) and
-  not destination.ip:(
-    10.0.0.0/8 or
-    127.0.0.0/8 or
-    169.254.0.0/16 or
-    172.16.0.0/12 or
-    192.0.0.0/24 or
-    192.0.0.0/29 or
-    192.0.0.8/32 or
-    192.0.0.9/32 or
-    192.0.0.10/32 or
-    192.0.0.170/32 or
-    192.0.0.171/32 or
-    192.0.2.0/24 or
-    192.31.196.0/24 or
-    192.52.193.0/24 or
-    192.168.0.0/16 or
-    192.88.99.0/24 or
-    224.0.0.0/4 or
-    100.64.0.0/10 or
-    192.175.48.0/24 or
-    198.18.0.0/15 or
-    198.51.100.0/24 or
-    203.0.113.0/24 or
-    240.0.0.0/4 or
-    "::1" or
-    "FE80::/10" or
-    "FF00::/8"
-  )
+(data_stream.dataset:network_traffic.flow or event.category:(network or network_traffic))
+  and network.transport:tcp and destination.port:(139 or 445)
+  and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
+  and not destination.ip:(10.0.0.0/8
+    or 100.64.0.0/10
+    or 127.0.0.0/8
+    or 169.254.0.0/16
+    or 172.16.0.0/12
+    or 192.0.0.0/24
+    or 192.0.0.0/29
+    or 192.0.0.10/32
+    or 192.0.0.170/32
+    or 192.0.0.171/32
+    or 192.0.0.8/32
+    or 192.0.0.9/32
+    or 192.0.2.0/24
+    or 192.168.0.0/16
+    or 192.175.48.0/24
+    or 192.31.196.0/24
+    or 192.52.193.0/24
+    or 192.88.99.0/24
+    or 198.18.0.0/15
+    or 198.51.100.0/24
+    or 203.0.113.0/24
+    or 224.0.0.0/4
+    or 240.0.0.0/4
+    or "::1"
+    or "FE80::/10"
+    or "FF00::/8")
 '''
 note = """## Triage and analysis
 
diff --git a/rules/network/lateral_movement_dns_server_overflow.toml b/rules/network/lateral_movement_dns_server_overflow.toml
index d41ebd560..addb9e2a3 100644
--- a/rules/network/lateral_movement_dns_server_overflow.toml
+++ b/rules/network/lateral_movement_dns_server_overflow.toml
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/07/16"
-integration = ["network_traffic"]
+integration = ["network_traffic", "panw"]
 maturity = "production"
-updated_date = "2026/04/16"
+updated_date = "2026/04/29"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
     authorized vulnerability scan or compromise assessment.
     """,
 ]
-index = ["packetbeat-*", "filebeat-*", "logs-network_traffic.*"]
+index = ["logs-network_traffic.*", "logs-panw.panos*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Abnormally Large DNS Response"
@@ -68,6 +68,8 @@ tags = [
     "Tactic: Impact",
     "Resources: Investigation Guide",
     "Use Case: Vulnerability",
+    "Data Source: PAN-OS",
+    "Data Source: Network Traffic",
 ]
 timestamp_override = "event.ingested"
 type = "query"