security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tuning to allow for greater flexibility in integration policy (#5774)

Browse Source
This commit is contained in:
Eric Forte
2026-02-25 13:56:02 -05:00
committed by GitHub
parent feb3041310
commit b2f76bd2c9
3 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/network/discovery_potential_network_sweep_detected.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/05/17"
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2025/02/28"
updated_date = "2026/02/24"
[rule]
author = ["Elastic"]
@@ -33,7 +33,7 @@ tags = [
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.action:network_flow and destination.port:(21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
event.action:(network_flow or flow_started) and destination.port:(21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and
source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
'''
note = """## Triage and analysis
rules/network/discovery_potential_port_scan_detected.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/05/17"
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2026/01/16"
updated_date = "2026/02/24"
[rule]
author = ["Elastic"]
@@ -36,7 +36,7 @@ type = "esql"
query = '''
from logs-network_traffic.*, packetbeat-*, logs-panw.panos*
| mv_expand event.action
| where event.action == "network_flow" and destination.port is not null and source.ip is not null and destination.ip is not null
| where event.action in ("network_flow", "flow_started") and destination.port is not null and source.ip is not null and destination.ip is not null
| eval Esql.time_window = DATE_TRUNC(1min, @timestamp)
| where CIDR_MATCH(source.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
| eval sensitive_port = case(destination.port IN (21, 22, 23, 53, 88, 139, 389, 445, 3389, 5900, 5985, 5986, 9389), true, false)
rules/network/discovery_potential_syn_port_scan_detected.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2023/05/17"
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2025/02/28"
updated_date = "2026/02/24"
[rule]
author = ["Elastic"]
@@ -34,7 +34,7 @@ tags = [
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.action:network_flow and destination.port:* and network.packets <= 2 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
event.action:(network_flow or flow_started) and destination.port:* and network.packets <= 2 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
'''
note = """## Triage and analysis