From a8c9d7174fbb154a5c20631e51159e1cbace1e52 Mon Sep 17 00:00:00 2001
From: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Date: Tue, 22 Jun 2021 10:22:01 -0400
Subject: [PATCH] Update
 initial_access_smb_windows_file_sharing_activity_to_the_internet.toml (#1225)

---
 ...file_sharing_activity_to_the_internet.toml | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
index 578e7c930..168b681ab 100644
--- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
+++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/05/26"
 
 [rule]
 author = ["Elastic"]
@@ -16,6 +16,7 @@ index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "SMB (Windows File Sharing) Activity to the Internet"
+references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
 risk_score = 73
 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
 severity = "high"
@@ -35,8 +36,25 @@ event.category:(network or network_traffic) and network.transport:tcp and (desti
     127.0.0.0/8 or
     169.254.0.0/16 or
     172.16.0.0/12 or
+    192.0.0.0/24 or
+    192.0.0.0/29 or
+    192.0.0.8/32 or
+    192.0.0.9/32 or
+    192.0.0.10/32 or
+    192.0.0.170/32 or
+    192.0.0.171/32 or
+    192.0.2.0/24 or
+    192.31.196.0/24 or
+    192.52.193.0/24 or
     192.168.0.0/16 or
+    192.88.99.0/24 or
     224.0.0.0/4 or
+    100.64.0.0/10 or
+    192.175.48.0/24 or
+    198.18.0.0/15 or
+    198.51.100.0/24 or
+    203.0.113.0/24 or
+    240.0.0.0/4 or
     "::1" or
     "FE80::/10" or
     "FF00::/8"