Open willem-dhaese opened 3 weeks ago
This used to work before we migrated the panw Filebeat module to Elastic Agent PANW Integration...
Same for:
Please have a look at these rules @w0rk3r 🙏
Hey @willem-dhaese, there are some performance implications in adding some patterns like logs-*
, so we need to take a deeper look before doing something like this. I'll put this in our backlog, but in the meantime, I think the best option is to duplicate the rule and add the pattern locally
Another : Potential SYN-Based Network Scan Detected
Ok, can logs-panw.panos*
be added then?
Watch the logs-panw.panos*
. We separated the different PANW subcategories to:
logs-panw.panos.traffic logs-panw.panos.threat
etc.. (together with @ckauf )
This worked when we were using Filebeat panw module. it's really dissapointing this just stopped working after migrating to Elastic Agent integration...
I hate having to duplicate rules, as it's a lot of work on our side to maintain all of the duplicated rules.
Link to Rule
RPC (Remote Procedure Call) from the Internet
Rule Tuning Type
Data Quality - Ensuring integrity and quality of data used by detection rules.
Description
Noticed "RPC (Remote Procedure Call) from the Internet" doesn't contain
logs-panw.panos*
which contains the needed data. Might also impact other firewalls, so it might be better to just addlogs-*
?It might be useful to check all rules using
logs-network_traffic.*
and notlogs-*
..Example Data
No response