search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.96k stars 500 forks source link

[Rule Tuning] Threat Intel IP Address Indicator Match #3439

Closed FlorianHeigl closed 4 months ago

FlorianHeigl commented 9 months ago

Link to rule

idk

Description

This rule triggers with a very high risk score (99) I have the pfsense integration set up. In there, 'internal' networks are/can be defined. I get a high risk alert for a blocked event from a network (public internet side of firewall) that is not on the list of internal networks.

This should be a much lower risk, as

(The 99 would make sense for something like reaching out to some beacon)

Example Data

I'm very sorry that I can't suggest a modified query, i'm not competent in most of the components that need to be touched.

{
  "_index": ".internal.alerts-security.alerts-default-000001",
  "_id": "2aafb2900ce8e9bcef7034ce1ce7677a48252211afcbc30bf9480b4c49f188d7",
  "_score": 1,
  "fields": {
    "kibana.alert.severity": [
      "critical"
    ],
    "rule.id": [
      "1770010363"
    ],
    "kibana.alert.rule.references": [
      "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
      "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
      "https://www.elastic.co/security/tip"
    ],
    "kibana.alert.rule.updated_by": [
      "elastic"
    ],
    "signal.ancestors.depth": [
      0
    ],
    "event.category": [
      "network"
    ],
    "elastic_agent.version": [
      "8.11.2"
    ],
    "kibana.alert.original_event.reason": [
      "match"
    ],
    "kibana.alert.rule.tags": [
      "OS: Windows",
      "Data Source: Elastic Endgame",
      "Rule Type: Indicator Match"
    ],
    "kibana.alert.reason.text": [
      "network event with process filterlog, source 104.218.48.107:41262, destination xxx:81, created critical alert Threat Intel IP Address Indicator Match."
    ],
    "observer.vendor": [
      "netgate"
    ],
    "kibana.alert.ancestors.depth": [
      0
    ],
    "signal.rule.enabled": [
      "true"
    ],
    "signal.rule.max_signals": [
      100
    ],
    "signal.original_event.reason": [
      "match"
    ],
    "kibana.alert.risk_score": [
      99
    ],
    "signal.rule.updated_at": [
      "2024-02-07T01:48:45.919Z"
    ],
    "source.ip": [
      "104.218.48.107"
    ],
    "agent.name": [
      "b2965285fa7b"
    ],
    "destination.address": [
      "xxx"
    ],
    "pfsense.tcp.options": [
      "mss"
    ],
    "network.community_id": [
      "1:ufcEKILBsWQc+O+bqoeZcezTqp4="
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "destination.geo.continent_name": [
      "Europe"
    ],
    "kibana.alert.original_event.module": [
      "pfsense"
    ],
    "signal.rule.references": [
      "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
      "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
      "https://www.elastic.co/security/tip"
    ],
    "kibana.alert.rule.interval": [
      "1h"
    ],
    "input.type": [
      "udp"
    ],
    "kibana.alert.rule.type": [
      "threat_match"
    ],
    "tags": [
      "pfsense",
      "forwarded"
    ],
    "kibana.alert.start": [
      "2024-02-11T14:08:07.329Z"
    ],
    "destination.geo.city_name": [
      "Neusäß"
    ],
    "event.provider": [
      "filterlog"
    ],
    "kibana.alert.rule.immutable": [
      "true"
    ],
    "kibana.alert.original_event.type": [
      "connection",
      "denied"
    ],
    "kibana.alert.rule.timeline_title": [
      "Generic Threat Match Timeline"
    ],
    "agent.id": [
      "xxx"
    ],
    "signal.original_event.module": [
      "pfsense"
    ],
    "source.port": [
      41262
    ],
    "log.source.address": [
      "xxxx:514"
    ],
    "signal.rule.from": [
      "now-65m"
    ],
    "network.iana_number": [
      "6"
    ],
    "kibana.alert.rule.enabled": [
      "true"
    ],
    "destination.geo.country_name": [
      "Germany"
    ],
    "destination.geo.region_iso_code": [
      "DE-BY"
    ],
    "kibana.alert.rule.version": [
      "5"
    ],
    "kibana.alert.ancestors.type": [
      "event"
    ],
    "source.as.number": [
      19318
    ],
    "destination.port": [
      81
    ],
    "signal.ancestors.index": [
      ".ds-logs-pfsense.log-default-2024.02.10-000001"
    ],
    "pfsense.tcp.window": [
      65535
    ],
    "agent.type": [
      "filebeat"
    ],
    "signal.original_event.category": [
      "network"
    ],
    "related.ip": [
      "xxx",
      "104.218.48.107"
    ],
    "kibana.alert.rule.timeline_id": [
      "495ad7a7-316e-4544-8a0f-9c098daee76e"
    ],
    "pfsense.tcp.length": [
      0
    ],
    "threat.enrichments": [
      {
        "indicator.reference": [
          "https://urlhaus.abuse.ch/url/2757609/"
        ],
        "indicator.url.original.text": [
          "http://104.218.48.107/uwu/arm"
        ],
        "matched.index": [
          ".ds-logs-ti_abusech.url-default-2024.02.07-000001"
        ],
        "indicator.url.full.text": [
          "http://104.218.48.107/uwu/arm"
        ],
        "indicator.url.domain": [
          "104.218.48.107"
        ],
        "indicator.url.original": [
          "http://104.218.48.107/uwu/arm"
        ],
        "indicator.first_seen": [
          "2024-02-06T13:30:15.000Z"
        ],
        "indicator.ip": [
          "104.218.48.107"
        ],
        "matched.field": [
          "source.ip"
        ],
        "indicator.provider": [
          "abuse_ch"
        ],
        "indicator.url.scheme": [
          "http"
        ],
        "indicator.url.path": [
          "/uwu/arm"
        ],
        "indicator.type": [
          "url"
        ],
        "matched.type": [
          "indicator_match_rule"
        ],
        "matched.id": [
          "LFaE+NZsgvhRkbnstwdH9VLK/k8="
        ],
        "indicator.url.full": [
          "http://104.218.48.107/uwu/arm"
        ],
        "matched.atomic": [
          "104.218.48.107"
        ]
      },
      {
        "indicator.reference": [
          "https://urlhaus.abuse.ch/url/2757610/"
        ],
        "indicator.url.original.text": [
          "http://104.218.48.107/uwu/arm7"
        ],
        "matched.index": [
          ".ds-logs-ti_abusech.url-default-2024.02.07-000001"
        ],
        "indicator.url.full.text": [
          "http://104.218.48.107/uwu/arm7"
        ],
        "indicator.url.domain": [
          "104.218.48.107"
        ],
        "indicator.url.original": [
          "http://104.218.48.107/uwu/arm7"
        ],
        "indicator.first_seen": [
          "2024-02-06T13:30:15.000Z"
        ],
        "indicator.ip": [
          "104.218.48.107"
        ],
        "matched.field": [
          "source.ip"
        ],
        "indicator.provider": [
          "abuse_ch"
        ],
        "indicator.url.scheme": [
          "http"
        ],
        "indicator.url.path": [
          "/uwu/arm7"
        ],
        "indicator.type": [
          "url"
        ],
        "matched.type": [
          "indicator_match_rule"
        ],
        "matched.id": [
          "kEixaStn++iN9JZzdMB7IClN4BI="
        ],
        "indicator.url.full": [
          "http://104.218.48.107/uwu/arm7"
        ],
        "matched.atomic": [
          "104.218.48.107"
        ]
      },
      {
        "indicator.reference": [
          "https://urlhaus.abuse.ch/url/2757611/"
        ],
        "indicator.url.original.text": [
          "http://104.218.48.107/uwu/mips"
        ],
        "matched.index": [
          ".ds-logs-ti_abusech.url-default-2024.02.07-000001"
        ],
        "indicator.url.full.text": [
          "http://104.218.48.107/uwu/mips"
        ],
        "indicator.url.domain": [
          "104.218.48.107"
        ],
        "indicator.url.original": [
          "http://104.218.48.107/uwu/mips"
        ],
        "indicator.first_seen": [
          "2024-02-06T13:30:15.000Z"
        ],
        "indicator.ip": [
          "104.218.48.107"
        ],
        "matched.field": [
          "source.ip"
        ],
        "indicator.provider": [
          "abuse_ch"
        ],
        "indicator.url.scheme": [
          "http"
        ],
        "indicator.url.path": [
          "/uwu/mips"
        ],
        "indicator.type": [
          "url"
        ],
        "matched.type": [
          "indicator_match_rule"
        ],
        "matched.id": [
          "22e5che3ck+vnCWiVuqtLl+1KdA="
        ],
        "indicator.url.full": [
          "http://104.218.48.107/uwu/mips"
        ],
        "matched.atomic": [
          "104.218.48.107"
        ]
      },
      {
        "indicator.reference": [
          "https://urlhaus.abuse.ch/url/2757602/"
        ],
        "indicator.url.original.text": [
          "http://104.218.48.107/uwu/m68k"
        ],
        "matched.index": [
          ".ds-logs-ti_abusech.url-default-2024.02.07-000001"
        ],
        "indicator.url.full.text": [
          "http://104.218.48.107/uwu/m68k"
        ],
        "indicator.url.domain": [
          "104.218.48.107"
        ],
        "indicator.url.original": [
          "http://104.218.48.107/uwu/m68k"
        ],
        "indicator.first_seen": [
          "2024-02-06T13:30:14.000Z"
        ],
        "indicator.ip": [
          "104.218.48.107"
        ],
        "matched.field": [
          "source.ip"
        ],
        "indicator.provider": [
          "abuse_ch"
        ],
        "indicator.url.scheme": [
          "http"
        ],
        "indicator.url.path": [
          "/uwu/m68k"
        ],
        "indicator.type": [
          "url"
        ],
        "matched.type": [
          "indicator_match_rule"
        ],
        "matched.id": [
          "CQLbzq6rbvnxvn0n0xqty3wuzhU="
        ],
        "indicator.url.full": [
          "http://104.218.48.107/uwu/m68k"
        ],
        "matched.atomic": [
          "104.218.48.107"
        ]
      },
      {
        "indicator.reference": [
          "https://urlhaus.abuse.ch/url/2757603/"
        ],
        "indicator.url.original.text": [
          "http://104.218.48.107/uwu/sh4"
        ],
        "matched.index": [
          ".ds-logs-ti_abusech.url-default-2024.02.07-000001"
        ],
        "indicator.url.full.text": [
          "http://104.218.48.107/uwu/sh4"
        ],
        "indicator.url.domain": [
          "104.218.48.107"
        ],
        "indicator.url.original": [
          "http://104.218.48.107/uwu/sh4"
        ],
        "indicator.first_seen": [
          "2024-02-06T13:30:14.000Z"
        ],
        "indicator.ip": [
          "104.218.48.107"
        ],
        "matched.field": [
          "source.ip"
        ],
        "indicator.provider": [
          "abuse_ch"
        ],
        "indicator.url.scheme": [
          "http"
        ],
        "indicator.url.path": [
          "/uwu/sh4"
        ],
        "indicator.type": [
          "url"
        ],
        "matched.type": [
          "indicator_match_rule"
        ],
        "matched.id": [
          "pj9AObFtZEZRGESvJN7LuvXJRCk="
        ],
        "indicator.url.full": [
          "http://104.218.48.107/uwu/sh4"
        ],
        "matched.atomic": [
          "104.218.48.107"
        ]
      },
      {
        "indicator.reference": [
          "https://urlhaus.abuse.ch/url/2757604/"
        ],
        "indicator.url.original.text": [
          "http://104.218.48.107/uwu/arm5"
        ],
        "matched.index": [
          ".ds-logs-ti_abusech.url-default-2024.02.07-000001"
        ],
        "indicator.url.full.text": [
          "http://104.218.48.107/uwu/arm5"
        ],
        "indicator.url.domain": [
          "104.218.48.107"
        ],
        "indicator.url.original": [
          "http://104.218.48.107/uwu/arm5"
        ],
        "indicator.first_seen": [
          "2024-02-06T13:30:14.000Z"
        ],
        "indicator.ip": [
          "104.218.48.107"
        ],
        "matched.field": [
          "source.ip"
        ],
        "indicator.provider": [
          "abuse_ch"
        ],
        "indicator.url.scheme": [
          "http"
        ],
        "indicator.url.path": [
          "/uwu/arm5"
        ],
        "indicator.type": [
          "url"
        ],
        "matched.type": [
          "indicator_match_rule"
        ],
        "matched.id": [
          "wvLalBkCM0wpXOUKh9nMOYjE2Uw="
        ],
        "indicator.url.full": [
          "http://104.218.48.107/uwu/arm5"
        ],
        "matched.atomic": [
          "104.218.48.107"
        ]
      },
      {
        "indicator.reference": [
          "https://urlhaus.abuse.ch/url/2757605/"
        ],
        "indicator.url.original.text": [
          "http://104.218.48.107/uwu/spc"
        ],
        "matched.index": [
          ".ds-logs-ti_abusech.url-default-2024.02.07-000001"
        ],
        "indicator.url.full.text": [
          "http://104.218.48.107/uwu/spc"
        ],
        "indicator.url.domain": [
          "104.218.48.107"
        ],
        "indicator.url.original": [
          "http://104.218.48.107/uwu/spc"
        ],
        "indicator.first_seen": [
          "2024-02-06T13:30:14.000Z"
        ],
        "indicator.ip": [
          "104.218.48.107"
        ],
        "matched.field": [
          "source.ip"
        ],
        "indicator.provider": [
          "abuse_ch"
        ],
        "indicator.url.scheme": [
          "http"
        ],
        "indicator.url.path": [
          "/uwu/spc"
        ],
        "indicator.type": [
          "url"
        ],
        "matched.type": [
          "indicator_match_rule"
        ],
        "matched.id": [
          "nXwE1Jk2SfzPVqtcrPWW9fXobU8="
        ],
        "indicator.url.full": [
          "http://104.218.48.107/uwu/spc"
        ],
        "matched.atomic": [
          "104.218.48.107"
        ]
      },
      {
        "indicator.reference": [
          "https://urlhaus.abuse.ch/url/2757606/"
        ],
        "indicator.url.original.text": [
          "http://104.218.48.107/uwu/mpsl"
        ],
        "matched.index": [
          ".ds-logs-ti_abusech.url-default-2024.02.07-000001"
        ],
        "indicator.url.full.text": [
          "http://104.218.48.107/uwu/mpsl"
        ],
        "indicator.url.domain": [
          "104.218.48.107"
        ],
        "indicator.url.original": [
          "http://104.218.48.107/uwu/mpsl"
        ],
        "indicator.first_seen": [
          "2024-02-06T13:30:14.000Z"
        ],
        "indicator.ip": [
          "104.218.48.107"
        ],
        "matched.field": [
          "source.ip"
        ],
        "indicator.provider": [
          "abuse_ch"
        ],
        "indicator.url.scheme": [
          "http"
        ],
        "indicator.url.path": [
          "/uwu/mpsl"
        ],
        "indicator.type": [
          "url"
        ],
        "matched.type": [
          "indicator_match_rule"
        ],
        "matched.id": [
          "SbIWnOYdxgVXUoDj9CrCLXmfQV0="
        ],
        "indicator.url.full": [
          "http://104.218.48.107/uwu/mpsl"
        ],
        "matched.atomic": [
          "104.218.48.107"
        ]
      },
      {
        "indicator.reference": [
          "https://urlhaus.abuse.ch/url/2757607/"
        ],
        "indicator.url.original.text": [
          "http://104.218.48.107/uwu/ppc"
        ],
        "matched.index": [
          ".ds-logs-ti_abusech.url-default-2024.02.07-000001"
        ],
        "indicator.url.full.text": [
          "http://104.218.48.107/uwu/ppc"
        ],
        "indicator.url.domain": [
          "104.218.48.107"
        ],
        "indicator.url.original": [
          "http://104.218.48.107/uwu/ppc"
        ],
        "indicator.first_seen": [
          "2024-02-06T13:30:14.000Z"
        ],
        "indicator.ip": [
          "104.218.48.107"
        ],
        "matched.field": [
          "source.ip"
        ],
        "indicator.provider": [
          "abuse_ch"
        ],
        "indicator.url.scheme": [
          "http"
        ],
        "indicator.url.path": [
          "/uwu/ppc"
        ],
        "indicator.type": [
          "url"
        ],
        "matched.type": [
          "indicator_match_rule"
        ],
        "matched.id": [
          "v1UeXczkOdHaV/kVqnkVV0qlw3k="
        ],
        "indicator.url.full": [
          "http://104.218.48.107/uwu/ppc"
        ],
        "matched.atomic": [
          "104.218.48.107"
        ]
      },
      {
        "indicator.reference": [
          "https://urlhaus.abuse.ch/url/2757608/"
        ],
        "indicator.url.original.text": [
          "http://104.218.48.107/uwu/x86"
        ],
        "matched.index": [
          ".ds-logs-ti_abusech.url-default-2024.02.07-000001"
        ],
        "indicator.url.full.text": [
          "http://104.218.48.107/uwu/x86"
        ],
        "indicator.url.domain": [
          "104.218.48.107"
        ],
        "indicator.url.original": [
          "http://104.218.48.107/uwu/x86"
        ],
        "indicator.first_seen": [
          "2024-02-06T13:30:14.000Z"
        ],
        "indicator.ip": [
          "104.218.48.107"
        ],
        "matched.field": [
          "source.ip"
        ],
        "indicator.provider": [
          "abuse_ch"
        ],
        "indicator.url.scheme": [
          "http"
        ],
        "indicator.url.path": [
          "/uwu/x86"
        ],
        "indicator.type": [
          "url"
        ],
        "matched.type": [
          "indicator_match_rule"
        ],
        "matched.id": [
          "rAVFYL02zbCZqenoZQa7JxWs7fg="
        ],
        "indicator.url.full": [
          "http://104.218.48.107/uwu/x86"
        ],
        "matched.atomic": [
          "104.218.48.107"
        ]
      }
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "signal.original_event.type": [
      "connection",
      "denied"
    ],
    "kibana.alert.rule.note": [
      "snipped"
    ],
    "pfsense.tcp.flags": [
      "S"
    ],
    "kibana.alert.rule.max_signals": [
      100
    ],
    "signal.rule.author": [
      "Elastic"
    ],
    "elastic_agent.id": [
      "xxx"
    ],
    "kibana.alert.rule.risk_score": [
      99
    ],
    "destination.as.organization.name.text": [
      "M-net Telekommunikations GmbH"
    ],
    "signal.original_event.dataset": [
      "pfsense.log"
    ],
    "destination.ip": [
      "xxx"
    ],
    "kibana.alert.rule.consumer": [
      "siem"
    ],
    "kibana.alert.rule.indices": [
      "auditbeat-*",
      "endgame-*",
      "filebeat-*",
      "logs-*",
      "packetbeat-*",
      "winlogbeat-*"
    ],
    "kibana.alert.rule.category": [
      "Indicator Match Rule"
    ],
    "event.action": [
      "block"
    ],
    "event.ingested": [
      "2024-02-11T13:31:56.000Z"
    ],
    "@timestamp": [
      "2024-02-11T14:08:07.294Z"
    ],
    "kibana.alert.original_event.action": [
      "block"
    ],
    "signal.rule.updated_by": [
      "elastic"
    ],
    "pfsense.ip.tos": [
      "0x0"
    ],
    "destination.geo.country_iso_code": [
      "DE"
    ],
    "kibana.alert.rule.severity": [
      "critical"
    ],
    "pfsense.ip.offset": [
      0
    ],
    "kibana.alert.original_event.agent_id_status": [
      "verified"
    ],
    "data_stream.dataset": [
      "pfsense.log"
    ],
    "signal.rule.timestamp_override": [
      "event.ingested"
    ],
    "agent.ephemeral_id": [
      "xxx"
    ],
    "kibana.alert.rule.execution.uuid": [
      "c6826806-f063-4a1a-8a8f-3f88f4ed18cc"
    ],
    "kibana.alert.uuid": [
      "2aafb2900ce8e9bcef7034ce1ce7677a48252211afcbc30bf9480b4c49f188d7"
    ],
    "signal.rule.note": [
      "xxxxn"
    ],
    "kibana.version": [
      "8.12.1"
    ],
    "signal.rule.license": [
      "Elastic License v2"
    ],
    "signal.ancestors.type": [
      "event"
    ],
    "destination.as.organization.name": [
      "M-net Telekommunikations GmbH"
    ],
    "kibana.alert.rule.rule_id": [
      "0c41e478-5263-4c69-8f9e-7dfd2c22da64"
    ],
    "signal.rule.timeline_title": [
      "Generic Threat Match Timeline"
    ],
    "signal.rule.type": [
      "threat_match"
    ],
    "kibana.alert.ancestors.id": [
      "iUJemI0Bhruqp73BCXcn"
    ],
    "process.name.text": [
      "filterlog"
    ],
    "kibana.alert.url": [
      "https://esf:5601/app/security/alerts/redirect/2aafb2900ce8e9bcef7034ce1ce7677a48252211afcbc30bf9480b4c49f188d7?index=.alerts-security.alerts-default&timestamp=2024-02-11T14:08:07.294Z"
    ],
    "kibana.alert.rule.description": [
      "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event."
    ],
    "observer.ingress.interface.name": [
      "igb1"
    ],
    "process.pid": [
      41474
    ],
    "kibana.alert.rule.producer": [
      "siem"
    ],
    "kibana.alert.rule.to": [
      "now"
    ],
    "signal.rule.created_by": [
      "elastic"
    ],
    "signal.rule.interval": [
      "1h"
    ],
    "kibana.alert.rule.created_by": [
      "elastic"
    ],
    "signal.original_event.timezone": [
      "+00:00"
    ],
    "kibana.alert.original_event.ingested": [
      "2024-02-11T13:31:56.000Z"
    ],
    "kibana.alert.rule.timestamp_override": [
      "event.ingested"
    ],
    "signal.rule.id": [
      "120b8350-c392-11ee-9fdd-3d33924f994d"
    ],
    "event.reason": [
      "match"
    ],
    "signal.reason": [
      "network event with process filterlog, source 104.218.48.107:41262, destination xxxx:81, created critical alert Threat Intel IP Address Indicator Match."
    ],
    "signal.rule.risk_score": [
      99
    ],
    "destination.geo.region_name": [
      "Bavaria"
    ],
    "kibana.alert.rule.name": [
      "Threat Intel IP Address Indicator Match"
    ],
    "signal.status": [
      "open"
    ],
    "event.kind": [
      "signal"
    ],
    "signal.rule.created_at": [
      "2024-02-04T19:17:43.240Z"
    ],
    "signal.rule.tags": [
      "OS: Windows",
      "Data Source: Elastic Endgame",
      "Rule Type: Indicator Match"
    ],
    "kibana.alert.workflow_status": [
      "open"
    ],
    "kibana.alert.rule.uuid": [
      "120b8350-c392-11ee-9fdd-3d33924f994d"
    ],
    "kibana.alert.original_event.category": [
      "network"
    ],
    "signal.original_event.provider": [
      "filterlog"
    ],
    "kibana.alert.reason": [
      "network event with process filterlog, source 104.218.48.107:41262, destination 88.217.235.67:81, created critical alert Threat Intel IP Address Indicator Match."
    ],
    "data_stream.type": [
      "logs"
    ],
    "signal.ancestors.id": [
      "iUJemI0Bhruqp73BCXcn"
    ],
    "signal.original_time": [
      "2024-02-11T14:31:56.000Z"
    ],
    "process.name": [
      "filterlog"
    ],
    "ecs.version": [
      "8.11.0"
    ],
    "observer.type": [
      "firewall"
    ],
    "signal.rule.severity": [
      "critical"
    ],
    "kibana.alert.ancestors.index": [
      ".ds-logs-pfsense.log-default-2024.02.10-000001"
    ],
    "agent.version": [
      "8.11.2"
    ],
    "kibana.alert.depth": [
      1
    ],
    "kibana.alert.rule.from": [
      "now-65m"
    ],
    "kibana.alert.rule.parameters": [
      {
        "xxxx",
        "license": "Elastic License v2",
        "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e",
        "timeline_title": "Generic Threat Match Timeline",
        "timestamp_override": "event.ingested",
        "author": [
          "Elastic"
        ],
        "false_positives": [],
        "from": "now-65m",
        "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64",
        "max_signals": 100,
        "risk_score_mapping": [],
        "severity_mapping": [],
        "threat": [],
        "to": "now",
        "references": [
          "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
          "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
          "https://www.elastic.co/security/tip"
        ],
        "version": 5,
        "exceptions_list": [],
        "immutable": true,
        "related_integrations": [],
        "required_fields": [
          {
            "name": "destination.ip",
            "type": "ip",
            "ecs": true
          },
          {
            "name": "source.ip",
            "type": "ip",
            "ecs": true
          }
        ],
        "setup": "\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n",
        "type": "threat_match",
        "language": "kuery",
        "index": [
          "auditbeat-*",
          "endgame-*",
          "filebeat-*",
          "logs-*",
          "packetbeat-*",
          "winlogbeat-*"
        ],
        "query": "source.ip:* or destination.ip:*\n",
        "threat_filters": [
          {
            "$state": {
              "store": "appState"
            },
            "meta": {
              "disabled": false,
              "key": "event.category",
              "negate": false,
              "params": {
                "query": "threat"
              },
              "type": "phrase"
            },
            "query": {
              "match_phrase": {
                "event.category": "threat"
              }
            }
          },
          {
            "$state": {
              "store": "appState"
            },
            "meta": {
              "disabled": false,
              "key": "event.kind",
              "negate": false,
              "params": {
                "query": "enrichment"
              },
              "type": "phrase"
            },
            "query": {
              "match_phrase": {
                "event.kind": "enrichment"
              }
            }
          },
          {
            "$state": {
              "store": "appState"
            },
            "meta": {
              "disabled": false,
              "key": "event.type",
              "negate": false,
              "params": {
                "query": "indicator"
              },
              "type": "phrase"
            },
            "query": {
              "match_phrase": {
                "event.type": "indicator"
              }
            }
          }
        ],
        "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"",
        "threat_mapping": [
          {
            "entries": [
              {
                "field": "source.ip",
                "type": "mapping",
                "value": "threat.indicator.ip"
              }
            ]
          },
          {
            "entries": [
              {
                "field": "destination.ip",
                "type": "mapping",
                "value": "threat.indicator.ip"
              }
            ]
          }
        ],
        "threat_language": "kuery",
        "threat_index": [
          "filebeat-*",
          "logs-ti_*"
        ],
        "threat_indicator_path": "threat.indicator"
      }
    ],
    "kibana.alert.rule.revision": [
      0
    ],
    "signal.rule.version": [
      "5"
    ],
    "signal.original_event.kind": [
      "event"
    ],
    "kibana.alert.status": [
      "active"
    ],
    "kibana.alert.last_detected": [
      "2024-02-11T14:08:07.329Z"
    ],
    "source.geo.location": [
      {
        "coordinates": [
          -97.822,
          37.751
        ],
        "type": "Point"
      }
    ],
    "kibana.alert.original_event.dataset": [
      "pfsense.log"
    ],
    "signal.depth": [
      1
    ],
    "source.address": [
      "104.218.48.107"
    ],
    "signal.rule.immutable": [
      "true"
    ],
    "destination.geo.location": [
      {
        "coordinates": [
          10.8432,
          48.3968
        ],
        "type": "Point"
      }
    ],
    "kibana.alert.rule.rule_type_id": [
      "siem.indicatorRule"
    ],
    "signal.rule.name": [
      "Threat Intel IP Address Indicator Match"
    ],
    "event.module": [
      "pfsense"
    ],
    "kibana.alert.original_event.provider": [
      "filterlog"
    ],
    "signal.rule.rule_id": [
      "0c41e478-5263-4c69-8f9e-7dfd2c22da64"
    ],
    "source.geo.country_iso_code": [
      "US"
    ],
    "kibana.alert.rule.license": [
      "Elastic License v2"
    ],
    "network.bytes": [
      44
    ],
    "log.syslog.priority": [
      134
    ],
    "network.direction": [
      "inbound"
    ],
    "kibana.alert.original_event.kind": [
      "event"
    ],
    "event.timezone": [
      "+00:00"
    ],
    "network.type": [
      "ipv4"
    ],
    "source.as.organization.name.text": [
      "IS-AS-1"
    ],
    "pfsense.ip.id": [
      54321
    ],
    "kibana.alert.rule.updated_at": [
      "2024-02-07T01:48:45.919Z"
    ],
    "signal.rule.description": [
      "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event."
    ],
    "data_stream.namespace": [
      "default"
    ],
    "destination.as.number": [
      8767
    ],
    "kibana.alert.rule.author": [
      "Elastic"
    ],
    "source.as.organization.name": [
      "IS-AS-1"
    ],
    "source.geo.continent_name": [
      "North America"
    ],
    "signal.rule.timeline_id": [
      "495ad7a7-316e-4544-8a0f-9c098daee76e"
    ],
    "message": [
      "134,,,1770010363,igb1,match,block,in,4,0x0,,243,54321,0,none,6,tcp,44,104.218.48.107,88.217.235.67,41262,81,0,S,1771157569,,65535,,mss"
    ],
    "network.transport": [
      "tcp"
    ],
    "pfsense.ip.ttl": [
      243
    ],
    "signal.original_event.action": [
      "block"
    ],
    "kibana.alert.rule.created_at": [
      "2024-02-04T19:17:43.240Z"
    ],
    "signal.rule.to": [
      "now"
    ],
    "event.type": [
      "connection",
      "denied"
    ],
    "kibana.alert.original_event.timezone": [
      "+00:00"
    ],
    "kibana.space_ids": [
      "default"
    ],
    "source.geo.country_name": [
      "United States"
    ],
    "pfsense.ip.flags": [
      "none"
    ],
    "event.dataset": [
      "pfsense.log"
    ],
    "kibana.alert.original_time": [
      "2024-02-11T14:31:56.000Z"
    ]
  }
}

(gawd, so much redundant info to sanitize)

FlorianHeigl commented 9 months ago

I guess per logic it would make sense to penalize un-initiated connections, vs. looking at details?

botelastic[bot] commented 7 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] commented 6 months ago

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

w0rk3r commented 4 months ago

As the rule is intended to be generic, it defaults to 99, but this can be changed locally according to the feeds used in your deployment, or exceptions can be added to using certain fields/categories of your threat feeds or to filter out blocked events.