[Rule Tuning] Threat Intel IP Address Indicator Match
FlorianHeigl opened this issue · comments
Link to rule
idk
Description
This rule triggers with a very high risk score (99)
I have the pfsense integration set up.
In there, 'internal' networks are/can be defined.
I get a high risk alert for a blocked event from a network (public internet side of firewall) that is not on the list of internal networks.
This should be a much lower risk, as
- it was blocked
- had no internal system involved in either side of the communication
(The 99 would make sense for something like reaching out to some beacon)
Example Data
I'm very sorry that I can't suggest a modified query, i'm not competent in most of the components that need to be touched.
{
"_index": ".internal.alerts-security.alerts-default-000001",
"_id": "2aafb2900ce8e9bcef7034ce1ce7677a48252211afcbc30bf9480b4c49f188d7",
"_score": 1,
"fields": {
"kibana.alert.severity": [
"critical"
],
"rule.id": [
"1770010363"
],
"kibana.alert.rule.references": [
"https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
"https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
"https://www.elastic.co/security/tip"
],
"kibana.alert.rule.updated_by": [
"elastic"
],
"signal.ancestors.depth": [
0
],
"event.category": [
"network"
],
"elastic_agent.version": [
"8.11.2"
],
"kibana.alert.original_event.reason": [
"match"
],
"kibana.alert.rule.tags": [
"OS: Windows",
"Data Source: Elastic Endgame",
"Rule Type: Indicator Match"
],
"kibana.alert.reason.text": [
"network event with process filterlog, source 104.218.48.107:41262, destination xxx:81, created critical alert Threat Intel IP Address Indicator Match."
],
"observer.vendor": [
"netgate"
],
"kibana.alert.ancestors.depth": [
0
],
"signal.rule.enabled": [
"true"
],
"signal.rule.max_signals": [
100
],
"signal.original_event.reason": [
"match"
],
"kibana.alert.risk_score": [
99
],
"signal.rule.updated_at": [
"2024-02-07T01:48:45.919Z"
],
"source.ip": [
"104.218.48.107"
],
"agent.name": [
"b2965285fa7b"
],
"destination.address": [
"xxx"
],
"pfsense.tcp.options": [
"mss"
],
"network.community_id": [
"1:ufcEKILBsWQc+O+bqoeZcezTqp4="
],
"event.agent_id_status": [
"verified"
],
"destination.geo.continent_name": [
"Europe"
],
"kibana.alert.original_event.module": [
"pfsense"
],
"signal.rule.references": [
"https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
"https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
"https://www.elastic.co/security/tip"
],
"kibana.alert.rule.interval": [
"1h"
],
"input.type": [
"udp"
],
"kibana.alert.rule.type": [
"threat_match"
],
"tags": [
"pfsense",
"forwarded"
],
"kibana.alert.start": [
"2024-02-11T14:08:07.329Z"
],
"destination.geo.city_name": [
"Neusäß"
],
"event.provider": [
"filterlog"
],
"kibana.alert.rule.immutable": [
"true"
],
"kibana.alert.original_event.type": [
"connection",
"denied"
],
"kibana.alert.rule.timeline_title": [
"Generic Threat Match Timeline"
],
"agent.id": [
"xxx"
],
"signal.original_event.module": [
"pfsense"
],
"source.port": [
41262
],
"log.source.address": [
"xxxx:514"
],
"signal.rule.from": [
"now-65m"
],
"network.iana_number": [
"6"
],
"kibana.alert.rule.enabled": [
"true"
],
"destination.geo.country_name": [
"Germany"
],
"destination.geo.region_iso_code": [
"DE-BY"
],
"kibana.alert.rule.version": [
"5"
],
"kibana.alert.ancestors.type": [
"event"
],
"source.as.number": [
19318
],
"destination.port": [
81
],
"signal.ancestors.index": [
".ds-logs-pfsense.log-default-2024.02.10-000001"
],
"pfsense.tcp.window": [
65535
],
"agent.type": [
"filebeat"
],
"signal.original_event.category": [
"network"
],
"related.ip": [
"xxx",
"104.218.48.107"
],
"kibana.alert.rule.timeline_id": [
"495ad7a7-316e-4544-8a0f-9c098daee76e"
],
"pfsense.tcp.length": [
0
],
"threat.enrichments": [
{
"indicator.reference": [
"https://urlhaus.abuse.ch/url/2757609/"
],
"indicator.url.original.text": [
"http://104.218.48.107/uwu/arm"
],
"matched.index": [
".ds-logs-ti_abusech.url-default-2024.02.07-000001"
],
"indicator.url.full.text": [
"http://104.218.48.107/uwu/arm"
],
"indicator.url.domain": [
"104.218.48.107"
],
"indicator.url.original": [
"http://104.218.48.107/uwu/arm"
],
"indicator.first_seen": [
"2024-02-06T13:30:15.000Z"
],
"indicator.ip": [
"104.218.48.107"
],
"matched.field": [
"source.ip"
],
"indicator.provider": [
"abuse_ch"
],
"indicator.url.scheme": [
"http"
],
"indicator.url.path": [
"/uwu/arm"
],
"indicator.type": [
"url"
],
"matched.type": [
"indicator_match_rule"
],
"matched.id": [
"LFaE+NZsgvhRkbnstwdH9VLK/k8="
],
"indicator.url.full": [
"http://104.218.48.107/uwu/arm"
],
"matched.atomic": [
"104.218.48.107"
]
},
{
"indicator.reference": [
"https://urlhaus.abuse.ch/url/2757610/"
],
"indicator.url.original.text": [
"http://104.218.48.107/uwu/arm7"
],
"matched.index": [
".ds-logs-ti_abusech.url-default-2024.02.07-000001"
],
"indicator.url.full.text": [
"http://104.218.48.107/uwu/arm7"
],
"indicator.url.domain": [
"104.218.48.107"
],
"indicator.url.original": [
"http://104.218.48.107/uwu/arm7"
],
"indicator.first_seen": [
"2024-02-06T13:30:15.000Z"
],
"indicator.ip": [
"104.218.48.107"
],
"matched.field": [
"source.ip"
],
"indicator.provider": [
"abuse_ch"
],
"indicator.url.scheme": [
"http"
],
"indicator.url.path": [
"/uwu/arm7"
],
"indicator.type": [
"url"
],
"matched.type": [
"indicator_match_rule"
],
"matched.id": [
"kEixaStn++iN9JZzdMB7IClN4BI="
],
"indicator.url.full": [
"http://104.218.48.107/uwu/arm7"
],
"matched.atomic": [
"104.218.48.107"
]
},
{
"indicator.reference": [
"https://urlhaus.abuse.ch/url/2757611/"
],
"indicator.url.original.text": [
"http://104.218.48.107/uwu/mips"
],
"matched.index": [
".ds-logs-ti_abusech.url-default-2024.02.07-000001"
],
"indicator.url.full.text": [
"http://104.218.48.107/uwu/mips"
],
"indicator.url.domain": [
"104.218.48.107"
],
"indicator.url.original": [
"http://104.218.48.107/uwu/mips"
],
"indicator.first_seen": [
"2024-02-06T13:30:15.000Z"
],
"indicator.ip": [
"104.218.48.107"
],
"matched.field": [
"source.ip"
],
"indicator.provider": [
"abuse_ch"
],
"indicator.url.scheme": [
"http"
],
"indicator.url.path": [
"/uwu/mips"
],
"indicator.type": [
"url"
],
"matched.type": [
"indicator_match_rule"
],
"matched.id": [
"22e5che3ck+vnCWiVuqtLl+1KdA="
],
"indicator.url.full": [
"http://104.218.48.107/uwu/mips"
],
"matched.atomic": [
"104.218.48.107"
]
},
{
"indicator.reference": [
"https://urlhaus.abuse.ch/url/2757602/"
],
"indicator.url.original.text": [
"http://104.218.48.107/uwu/m68k"
],
"matched.index": [
".ds-logs-ti_abusech.url-default-2024.02.07-000001"
],
"indicator.url.full.text": [
"http://104.218.48.107/uwu/m68k"
],
"indicator.url.domain": [
"104.218.48.107"
],
"indicator.url.original": [
"http://104.218.48.107/uwu/m68k"
],
"indicator.first_seen": [
"2024-02-06T13:30:14.000Z"
],
"indicator.ip": [
"104.218.48.107"
],
"matched.field": [
"source.ip"
],
"indicator.provider": [
"abuse_ch"
],
"indicator.url.scheme": [
"http"
],
"indicator.url.path": [
"/uwu/m68k"
],
"indicator.type": [
"url"
],
"matched.type": [
"indicator_match_rule"
],
"matched.id": [
"CQLbzq6rbvnxvn0n0xqty3wuzhU="
],
"indicator.url.full": [
"http://104.218.48.107/uwu/m68k"
],
"matched.atomic": [
"104.218.48.107"
]
},
{
"indicator.reference": [
"https://urlhaus.abuse.ch/url/2757603/"
],
"indicator.url.original.text": [
"http://104.218.48.107/uwu/sh4"
],
"matched.index": [
".ds-logs-ti_abusech.url-default-2024.02.07-000001"
],
"indicator.url.full.text": [
"http://104.218.48.107/uwu/sh4"
],
"indicator.url.domain": [
"104.218.48.107"
],
"indicator.url.original": [
"http://104.218.48.107/uwu/sh4"
],
"indicator.first_seen": [
"2024-02-06T13:30:14.000Z"
],
"indicator.ip": [
"104.218.48.107"
],
"matched.field": [
"source.ip"
],
"indicator.provider": [
"abuse_ch"
],
"indicator.url.scheme": [
"http"
],
"indicator.url.path": [
"/uwu/sh4"
],
"indicator.type": [
"url"
],
"matched.type": [
"indicator_match_rule"
],
"matched.id": [
"pj9AObFtZEZRGESvJN7LuvXJRCk="
],
"indicator.url.full": [
"http://104.218.48.107/uwu/sh4"
],
"matched.atomic": [
"104.218.48.107"
]
},
{
"indicator.reference": [
"https://urlhaus.abuse.ch/url/2757604/"
],
"indicator.url.original.text": [
"http://104.218.48.107/uwu/arm5"
],
"matched.index": [
".ds-logs-ti_abusech.url-default-2024.02.07-000001"
],
"indicator.url.full.text": [
"http://104.218.48.107/uwu/arm5"
],
"indicator.url.domain": [
"104.218.48.107"
],
"indicator.url.original": [
"http://104.218.48.107/uwu/arm5"
],
"indicator.first_seen": [
"2024-02-06T13:30:14.000Z"
],
"indicator.ip": [
"104.218.48.107"
],
"matched.field": [
"source.ip"
],
"indicator.provider": [
"abuse_ch"
],
"indicator.url.scheme": [
"http"
],
"indicator.url.path": [
"/uwu/arm5"
],
"indicator.type": [
"url"
],
"matched.type": [
"indicator_match_rule"
],
"matched.id": [
"wvLalBkCM0wpXOUKh9nMOYjE2Uw="
],
"indicator.url.full": [
"http://104.218.48.107/uwu/arm5"
],
"matched.atomic": [
"104.218.48.107"
]
},
{
"indicator.reference": [
"https://urlhaus.abuse.ch/url/2757605/"
],
"indicator.url.original.text": [
"http://104.218.48.107/uwu/spc"
],
"matched.index": [
".ds-logs-ti_abusech.url-default-2024.02.07-000001"
],
"indicator.url.full.text": [
"http://104.218.48.107/uwu/spc"
],
"indicator.url.domain": [
"104.218.48.107"
],
"indicator.url.original": [
"http://104.218.48.107/uwu/spc"
],
"indicator.first_seen": [
"2024-02-06T13:30:14.000Z"
],
"indicator.ip": [
"104.218.48.107"
],
"matched.field": [
"source.ip"
],
"indicator.provider": [
"abuse_ch"
],
"indicator.url.scheme": [
"http"
],
"indicator.url.path": [
"/uwu/spc"
],
"indicator.type": [
"url"
],
"matched.type": [
"indicator_match_rule"
],
"matched.id": [
"nXwE1Jk2SfzPVqtcrPWW9fXobU8="
],
"indicator.url.full": [
"http://104.218.48.107/uwu/spc"
],
"matched.atomic": [
"104.218.48.107"
]
},
{
"indicator.reference": [
"https://urlhaus.abuse.ch/url/2757606/"
],
"indicator.url.original.text": [
"http://104.218.48.107/uwu/mpsl"
],
"matched.index": [
".ds-logs-ti_abusech.url-default-2024.02.07-000001"
],
"indicator.url.full.text": [
"http://104.218.48.107/uwu/mpsl"
],
"indicator.url.domain": [
"104.218.48.107"
],
"indicator.url.original": [
"http://104.218.48.107/uwu/mpsl"
],
"indicator.first_seen": [
"2024-02-06T13:30:14.000Z"
],
"indicator.ip": [
"104.218.48.107"
],
"matched.field": [
"source.ip"
],
"indicator.provider": [
"abuse_ch"
],
"indicator.url.scheme": [
"http"
],
"indicator.url.path": [
"/uwu/mpsl"
],
"indicator.type": [
"url"
],
"matched.type": [
"indicator_match_rule"
],
"matched.id": [
"SbIWnOYdxgVXUoDj9CrCLXmfQV0="
],
"indicator.url.full": [
"http://104.218.48.107/uwu/mpsl"
],
"matched.atomic": [
"104.218.48.107"
]
},
{
"indicator.reference": [
"https://urlhaus.abuse.ch/url/2757607/"
],
"indicator.url.original.text": [
"http://104.218.48.107/uwu/ppc"
],
"matched.index": [
".ds-logs-ti_abusech.url-default-2024.02.07-000001"
],
"indicator.url.full.text": [
"http://104.218.48.107/uwu/ppc"
],
"indicator.url.domain": [
"104.218.48.107"
],
"indicator.url.original": [
"http://104.218.48.107/uwu/ppc"
],
"indicator.first_seen": [
"2024-02-06T13:30:14.000Z"
],
"indicator.ip": [
"104.218.48.107"
],
"matched.field": [
"source.ip"
],
"indicator.provider": [
"abuse_ch"
],
"indicator.url.scheme": [
"http"
],
"indicator.url.path": [
"/uwu/ppc"
],
"indicator.type": [
"url"
],
"matched.type": [
"indicator_match_rule"
],
"matched.id": [
"v1UeXczkOdHaV/kVqnkVV0qlw3k="
],
"indicator.url.full": [
"http://104.218.48.107/uwu/ppc"
],
"matched.atomic": [
"104.218.48.107"
]
},
{
"indicator.reference": [
"https://urlhaus.abuse.ch/url/2757608/"
],
"indicator.url.original.text": [
"http://104.218.48.107/uwu/x86"
],
"matched.index": [
".ds-logs-ti_abusech.url-default-2024.02.07-000001"
],
"indicator.url.full.text": [
"http://104.218.48.107/uwu/x86"
],
"indicator.url.domain": [
"104.218.48.107"
],
"indicator.url.original": [
"http://104.218.48.107/uwu/x86"
],
"indicator.first_seen": [
"2024-02-06T13:30:14.000Z"
],
"indicator.ip": [
"104.218.48.107"
],
"matched.field": [
"source.ip"
],
"indicator.provider": [
"abuse_ch"
],
"indicator.url.scheme": [
"http"
],
"indicator.url.path": [
"/uwu/x86"
],
"indicator.type": [
"url"
],
"matched.type": [
"indicator_match_rule"
],
"matched.id": [
"rAVFYL02zbCZqenoZQa7JxWs7fg="
],
"indicator.url.full": [
"http://104.218.48.107/uwu/x86"
],
"matched.atomic": [
"104.218.48.107"
]
}
],
"elastic_agent.snapshot": [
false
],
"signal.original_event.type": [
"connection",
"denied"
],
"kibana.alert.rule.note": [
"snipped"
],
"pfsense.tcp.flags": [
"S"
],
"kibana.alert.rule.max_signals": [
100
],
"signal.rule.author": [
"Elastic"
],
"elastic_agent.id": [
"xxx"
],
"kibana.alert.rule.risk_score": [
99
],
"destination.as.organization.name.text": [
"M-net Telekommunikations GmbH"
],
"signal.original_event.dataset": [
"pfsense.log"
],
"destination.ip": [
"xxx"
],
"kibana.alert.rule.consumer": [
"siem"
],
"kibana.alert.rule.indices": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*"
],
"kibana.alert.rule.category": [
"Indicator Match Rule"
],
"event.action": [
"block"
],
"event.ingested": [
"2024-02-11T13:31:56.000Z"
],
"@timestamp": [
"2024-02-11T14:08:07.294Z"
],
"kibana.alert.original_event.action": [
"block"
],
"signal.rule.updated_by": [
"elastic"
],
"pfsense.ip.tos": [
"0x0"
],
"destination.geo.country_iso_code": [
"DE"
],
"kibana.alert.rule.severity": [
"critical"
],
"pfsense.ip.offset": [
0
],
"kibana.alert.original_event.agent_id_status": [
"verified"
],
"data_stream.dataset": [
"pfsense.log"
],
"signal.rule.timestamp_override": [
"event.ingested"
],
"agent.ephemeral_id": [
"xxx"
],
"kibana.alert.rule.execution.uuid": [
"c6826806-f063-4a1a-8a8f-3f88f4ed18cc"
],
"kibana.alert.uuid": [
"2aafb2900ce8e9bcef7034ce1ce7677a48252211afcbc30bf9480b4c49f188d7"
],
"signal.rule.note": [
"xxxxn"
],
"kibana.version": [
"8.12.1"
],
"signal.rule.license": [
"Elastic License v2"
],
"signal.ancestors.type": [
"event"
],
"destination.as.organization.name": [
"M-net Telekommunikations GmbH"
],
"kibana.alert.rule.rule_id": [
"0c41e478-5263-4c69-8f9e-7dfd2c22da64"
],
"signal.rule.timeline_title": [
"Generic Threat Match Timeline"
],
"signal.rule.type": [
"threat_match"
],
"kibana.alert.ancestors.id": [
"iUJemI0Bhruqp73BCXcn"
],
"process.name.text": [
"filterlog"
],
"kibana.alert.url": [
"https://esf:5601/app/security/alerts/redirect/2aafb2900ce8e9bcef7034ce1ce7677a48252211afcbc30bf9480b4c49f188d7?index=.alerts-security.alerts-default×tamp=2024-02-11T14:08:07.294Z"
],
"kibana.alert.rule.description": [
"This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event."
],
"observer.ingress.interface.name": [
"igb1"
],
"process.pid": [
41474
],
"kibana.alert.rule.producer": [
"siem"
],
"kibana.alert.rule.to": [
"now"
],
"signal.rule.created_by": [
"elastic"
],
"signal.rule.interval": [
"1h"
],
"kibana.alert.rule.created_by": [
"elastic"
],
"signal.original_event.timezone": [
"+00:00"
],
"kibana.alert.original_event.ingested": [
"2024-02-11T13:31:56.000Z"
],
"kibana.alert.rule.timestamp_override": [
"event.ingested"
],
"signal.rule.id": [
"120b8350-c392-11ee-9fdd-3d33924f994d"
],
"event.reason": [
"match"
],
"signal.reason": [
"network event with process filterlog, source 104.218.48.107:41262, destination xxxx:81, created critical alert Threat Intel IP Address Indicator Match."
],
"signal.rule.risk_score": [
99
],
"destination.geo.region_name": [
"Bavaria"
],
"kibana.alert.rule.name": [
"Threat Intel IP Address Indicator Match"
],
"signal.status": [
"open"
],
"event.kind": [
"signal"
],
"signal.rule.created_at": [
"2024-02-04T19:17:43.240Z"
],
"signal.rule.tags": [
"OS: Windows",
"Data Source: Elastic Endgame",
"Rule Type: Indicator Match"
],
"kibana.alert.workflow_status": [
"open"
],
"kibana.alert.rule.uuid": [
"120b8350-c392-11ee-9fdd-3d33924f994d"
],
"kibana.alert.original_event.category": [
"network"
],
"signal.original_event.provider": [
"filterlog"
],
"kibana.alert.reason": [
"network event with process filterlog, source 104.218.48.107:41262, destination 88.217.235.67:81, created critical alert Threat Intel IP Address Indicator Match."
],
"data_stream.type": [
"logs"
],
"signal.ancestors.id": [
"iUJemI0Bhruqp73BCXcn"
],
"signal.original_time": [
"2024-02-11T14:31:56.000Z"
],
"process.name": [
"filterlog"
],
"ecs.version": [
"8.11.0"
],
"observer.type": [
"firewall"
],
"signal.rule.severity": [
"critical"
],
"kibana.alert.ancestors.index": [
".ds-logs-pfsense.log-default-2024.02.10-000001"
],
"agent.version": [
"8.11.2"
],
"kibana.alert.depth": [
1
],
"kibana.alert.rule.from": [
"now-65m"
],
"kibana.alert.rule.parameters": [
{
"xxxx",
"license": "Elastic License v2",
"timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e",
"timeline_title": "Generic Threat Match Timeline",
"timestamp_override": "event.ingested",
"author": [
"Elastic"
],
"false_positives": [],
"from": "now-65m",
"rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64",
"max_signals": 100,
"risk_score_mapping": [],
"severity_mapping": [],
"threat": [],
"to": "now",
"references": [
"https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
"https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
"https://www.elastic.co/security/tip"
],
"version": 5,
"exceptions_list": [],
"immutable": true,
"related_integrations": [],
"required_fields": [
{
"name": "destination.ip",
"type": "ip",
"ecs": true
},
{
"name": "source.ip",
"type": "ip",
"ecs": true
}
],
"setup": "\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n",
"type": "threat_match",
"language": "kuery",
"index": [
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*"
],
"query": "source.ip:* or destination.ip:*\n",
"threat_filters": [
{
"$state": {
"store": "appState"
},
"meta": {
"disabled": false,
"key": "event.category",
"negate": false,
"params": {
"query": "threat"
},
"type": "phrase"
},
"query": {
"match_phrase": {
"event.category": "threat"
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"disabled": false,
"key": "event.kind",
"negate": false,
"params": {
"query": "enrichment"
},
"type": "phrase"
},
"query": {
"match_phrase": {
"event.kind": "enrichment"
}
}
},
{
"$state": {
"store": "appState"
},
"meta": {
"disabled": false,
"key": "event.type",
"negate": false,
"params": {
"query": "indicator"
},
"type": "phrase"
},
"query": {
"match_phrase": {
"event.type": "indicator"
}
}
}
],
"threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"",
"threat_mapping": [
{
"entries": [
{
"field": "source.ip",
"type": "mapping",
"value": "threat.indicator.ip"
}
]
},
{
"entries": [
{
"field": "destination.ip",
"type": "mapping",
"value": "threat.indicator.ip"
}
]
}
],
"threat_language": "kuery",
"threat_index": [
"filebeat-*",
"logs-ti_*"
],
"threat_indicator_path": "threat.indicator"
}
],
"kibana.alert.rule.revision": [
0
],
"signal.rule.version": [
"5"
],
"signal.original_event.kind": [
"event"
],
"kibana.alert.status": [
"active"
],
"kibana.alert.last_detected": [
"2024-02-11T14:08:07.329Z"
],
"source.geo.location": [
{
"coordinates": [
-97.822,
37.751
],
"type": "Point"
}
],
"kibana.alert.original_event.dataset": [
"pfsense.log"
],
"signal.depth": [
1
],
"source.address": [
"104.218.48.107"
],
"signal.rule.immutable": [
"true"
],
"destination.geo.location": [
{
"coordinates": [
10.8432,
48.3968
],
"type": "Point"
}
],
"kibana.alert.rule.rule_type_id": [
"siem.indicatorRule"
],
"signal.rule.name": [
"Threat Intel IP Address Indicator Match"
],
"event.module": [
"pfsense"
],
"kibana.alert.original_event.provider": [
"filterlog"
],
"signal.rule.rule_id": [
"0c41e478-5263-4c69-8f9e-7dfd2c22da64"
],
"source.geo.country_iso_code": [
"US"
],
"kibana.alert.rule.license": [
"Elastic License v2"
],
"network.bytes": [
44
],
"log.syslog.priority": [
134
],
"network.direction": [
"inbound"
],
"kibana.alert.original_event.kind": [
"event"
],
"event.timezone": [
"+00:00"
],
"network.type": [
"ipv4"
],
"source.as.organization.name.text": [
"IS-AS-1"
],
"pfsense.ip.id": [
54321
],
"kibana.alert.rule.updated_at": [
"2024-02-07T01:48:45.919Z"
],
"signal.rule.description": [
"This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event."
],
"data_stream.namespace": [
"default"
],
"destination.as.number": [
8767
],
"kibana.alert.rule.author": [
"Elastic"
],
"source.as.organization.name": [
"IS-AS-1"
],
"source.geo.continent_name": [
"North America"
],
"signal.rule.timeline_id": [
"495ad7a7-316e-4544-8a0f-9c098daee76e"
],
"message": [
"134,,,1770010363,igb1,match,block,in,4,0x0,,243,54321,0,none,6,tcp,44,104.218.48.107,88.217.235.67,41262,81,0,S,1771157569,,65535,,mss"
],
"network.transport": [
"tcp"
],
"pfsense.ip.ttl": [
243
],
"signal.original_event.action": [
"block"
],
"kibana.alert.rule.created_at": [
"2024-02-04T19:17:43.240Z"
],
"signal.rule.to": [
"now"
],
"event.type": [
"connection",
"denied"
],
"kibana.alert.original_event.timezone": [
"+00:00"
],
"kibana.space_ids": [
"default"
],
"source.geo.country_name": [
"United States"
],
"pfsense.ip.flags": [
"none"
],
"event.dataset": [
"pfsense.log"
],
"kibana.alert.original_time": [
"2024-02-11T14:31:56.000Z"
]
}
}
(gawd, so much redundant info to sanitize)
I guess per logic it would make sense to penalize un-initiated connections, vs. looking at details?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.