Skip to content

Commit

Permalink
Tune rule to exclude forwarded events. (#3790)
Browse files Browse the repository at this point in the history 
Events containing "forwarded" as a tag may include host information
that is not related to the host running elastic agent. This triggers
false positive alerts. Examples include Entity Analytics integrations,
Palo Alto GlobalProtect activity, and M365 Defender device events.

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 0726ce4)
  • Loading branch information
@jvalente-salemstate @github-actions
jvalente-salemstate authored and github-actions[bot] committed Jun 25, 2024
1 parent 3fed0dd commit 4cf883b
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/14"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
type = "threshold"

query = '''
event.agent_id_status:*
event.agent_id_status:* and not tags:forwarded
'''


Expand Down

0 comments on commit 4cf883b

Please sign in to comment.