From e2c8c7745dadac2c573ca88251eacd98f4a38ee8 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Fri, 23 Jan 2026 12:02:25 +0000
Subject: [PATCH] [Tuning] Suricata and Elastic Defend Network Correlation
 (#5583)

* [Tuning] Suricata and Elastic Defend Network Correlation

Nessus is main source of noise.

* Update command_and_control_suricata_elastic_defend_c2.toml
---
 ...mand_and_control_suricata_elastic_defend_c2.toml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml
index 3835b0ab4..0ca537563 100644
--- a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml
+++ b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/12/10"
 integration = ["endpoint", "suricata"]
 maturity = "production"
-updated_date = "2025/12/10"
+updated_date = "2026/01/20"
 
 [rule]
 author = ["Elastic"]
@@ -37,9 +37,14 @@ tags = [
 ]
 type = "eql"
 query = '''
-sequence by source.port, source.ip, destination.ip with maxspan=1m
- [network where event.dataset == "suricata.eve" and event.kind == "alert" and event.severity != 3 and source.ip != null and destination.ip != null]
- [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
+sequence by source.port, source.ip, destination.ip with maxspan=5s
+ [network where event.dataset == "suricata.eve" and event.kind == "alert" and
+  event.severity != 3 and source.ip != null and destination.ip != null and
+  not source.domain : ("*nessusscan*", "SCCMPS*") and
+  not rule.name in ("ET INFO SMB2 NT Create AndX Request For a Powershell .ps1 File", "ET SCAN MS Terminal Server Traffic on Non-standard Port")]
+ [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted") and
+  not process.executable in ("System", "C:\\Program Files (x86)\\Admin Arsenal\\PDQ Inventory\\PDQInventoryService.exe") and 
+  not process.executable : "C:\\Windows\\AdminArsenal\\PDQInventory-Scanner\\service-*\\exec\\PDQInventoryScanner.exe"]
 '''
 note = """## Triage and analysis