security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] SMB (Windows File Sharing) Activity to the Internet (#5533)

Browse Source 
* [Tuning] SMB (Windows File Sharing) Activity to the Internet

converted to new term  (history search window set to 5 days by destination.ip) to reduce alerts volume. https://github.com/elastic/detection-rules/issues/5490

* Update initial_access_smb_windows_file_sharing_activity_to_the_internet.toml

* Update rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml

* Update rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
This commit is contained in:
Samirbous
2026-01-08 21:52:09 +00:00
committed by GitHub
parent 34daf12d51
commit e7cb01778b
1 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
+12 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2026/01/07"
[rule]
author = ["Elastic"]
@@ -18,12 +18,12 @@ language = "kuery"
license = "Elastic License v2"
name = "SMB (Windows File Sharing) Activity to the Internet"
references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
risk_score = 73
risk_score = 47
rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
severity = "high"
tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
severity = "medium"
tags = ["Tactic: Initial Access", "Domain: Network", "Use Case: Threat Detection", "Data Source: PAN-OS", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "query"
type = "new_terms"
query = '''
(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and
@@ -124,3 +124,10 @@ id = "TA0010"
name = "Exfiltration"
reference = "https://attack.mitre.org/tactics/TA0010/"
[rule.new_terms]
field = "new_terms_fields"
value = ["source.ip"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-5d"