[Rule Tuning] RPC (Remote Procedure Call) from the Internet

[SebastianHuettersen]

Link to Rule

https://www.elastic.co/guide/en/security/current/rpc-remote-procedure-call-to-the-internet.html

Rule Tuning Type

Data Quality - Ensuring integrity and quality of data used by detection rules.

Description

Currently, the Rule will only work with Network Packet Capture and Palo Alto Next-Gen Firewall.

It would be kind if we could have the ability to apply this and similar rules to logs collected by Fortinet FortiGate Firewall Logs as well.

The following rules there identified in issue #3998 that may be possible to trigger by different vendor Firewalls as well:

• RPC (Remote Procedure Call) to the Internet
• RPC (Remote Procedure Call) from the Internet
• VNC (Virtual Network Computing) to the Internet
• VNC (Virtual Network Computing) from the Internet
• Accepted Default Telnet Port Connection
• Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
• Possible FIN7 DGA Command and Control Behavior
• IPSEC NAT Traversal Port Activity
• SMTP on Port 26/TCP
• Potential Network Sweep Detected
• Potential Network Scan Detected
• Potential SYN-Based Network Scan Detected
• RDP (Remote Desktop Protocol) from the Internet
• SMB (Windows File Sharing) Activity to the Internet

Example Data

No response

[mbudge]

Be good to get more rules like this working with cisco asa and checkpoint firewall index patterns. Will need alert suppression to prevent the siem being flooded.

[mbudge]

Also checkpoint/cisco asa firewall log data.

[mbudge]

• netflow data