[Rule Tuning] RPC (Remote Procedure Call) from the Internet

[willem-dhaese]

Link to Rule

RPC (Remote Procedure Call) from the Internet

Rule Tuning Type

Data Quality - Ensuring integrity and quality of data used by detection rules.

Description

Noticed "RPC (Remote Procedure Call) from the Internet" doesn't contain logs-panw.panos* which contains the needed data. Might also impact other firewalls, so it might be better to just add logs-* ?

It might be useful to check all rules using logs-network_traffic.* and not logs-*..

Example Data

No response

[willem-dhaese]

• RPC (Remote Procedure Call) to the Internet
• RPC (Remote Procedure Call) from the Internet
• VNC (Virtual Network Computing) to the Internet
• VNC (Virtual Network Computing) from the Internet

This used to work before we migrated the panw Filebeat module to Elastic Agent PANW Integration...

[willem-dhaese]

Same for:

• Potential Network Sweep Detected

[willem-dhaese]

Please have a look at these rules @w0rk3r 🙏

[w0rk3r]

Hey @willem-dhaese, there are some performance implications in adding some patterns like logs-*, so we need to take a deeper look before doing something like this. I'll put this in our backlog, but in the meantime, I think the best option is to duplicate the rule and add the pattern locally

[willem-dhaese]

Another : Potential SYN-Based Network Scan Detected

Ok, can logs-panw.panos* be added then?

Watch the logs-panw.panos*. We separated the different PANW subcategories to:

logs-panw.panos.traffic logs-panw.panos.threat

etc.. (together with @ckauf )

This worked when we were using Filebeat panw module. it's really dissapointing this just stopped working after migrating to Elastic Agent integration...

I hate having to duplicate rules, as it's a lot of work on our side to maintain all of the duplicated rules.