security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tune rule to exclude forwarded events. (#3790)

Browse Source 
Events containing "forwarded" as a tag may include host information
that is not related to the host running elastic agent. This triggers
false positive alerts. Examples include Entity Analytics integrations,
Palo Alto GlobalProtect activity, and M365 Defender device events.

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 0726ce41bf)
This commit is contained in:
James Valente
2024-06-25 07:22:07 -04:00
committed by github-actions[bot]
parent a1015c32e5
commit a995f27c13
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/14"
[rule]
author = ["Elastic"]
@@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.agent_id_status:*
event.agent_id_status:* and not tags:forwarded
'''