Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] RPC (Remote Procedure Call) from the Internet #4268

Open
SebastianHuettersen opened this issue Nov 13, 2024 · 3 comments · May be fixed by #4275
Open

[Rule Tuning] RPC (Remote Procedure Call) from the Internet #4268

SebastianHuettersen opened this issue Nov 13, 2024 · 3 comments · May be fixed by #4275
Labels
community Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Comments

@SebastianHuettersen
Copy link

Link to Rule

https://www.elastic.co/guide/en/security/current/rpc-remote-procedure-call-to-the-internet.html

Rule Tuning Type

Data Quality - Ensuring integrity and quality of data used by detection rules.

Description

Currently, the Rule will only work with Network Packet Capture and Palo Alto Next-Gen Firewall.

It would be kind if we could have the ability to apply this and similar rules to logs collected by Fortinet FortiGate Firewall Logs as well.

The following rules there identified in issue #3998 that may be possible to trigger by different vendor Firewalls as well:

  • RPC (Remote Procedure Call) to the Internet
  • RPC (Remote Procedure Call) from the Internet
  • VNC (Virtual Network Computing) to the Internet
  • VNC (Virtual Network Computing) from the Internet
  • Accepted Default Telnet Port Connection
  • Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
  • Possible FIN7 DGA Command and Control Behavior
  • IPSEC NAT Traversal Port Activity
  • SMTP on Port 26/TCP
  • Potential Network Sweep Detected
  • Potential Network Scan Detected
  • Potential SYN-Based Network Scan Detected
  • RDP (Remote Desktop Protocol) from the Internet
  • SMB (Windows File Sharing) Activity to the Internet

Example Data

No response
@SebastianHuettersen SebastianHuettersen added Rule: Tuning tweaking or tuning an existing rule Team: TRADE labels Nov 13, 2024
@mbudge
Copy link

mbudge commented Nov 22, 2024

Be good to get more rules like this working with cisco asa and checkpoint firewall index patterns. Will need alert suppression to prevent the siem being flooded.

@SHolzhauer SHolzhauer linked a pull request Nov 27, 2024 that will close this issue
Open
2 tasks
@mbudge
Copy link

mbudge commented Jan 7, 2025

Also checkpoint/cisco asa firewall log data.

@mbudge
Copy link

mbudge commented Jan 7, 2025

  • netflow data

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community Rule: Tuning tweaking or tuning an existing rule Team: TRADE
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Fortigate Fortinet index to multiple detection rules SHolzhauer/detection-rules
2 participants
@mbudge @SebastianHuettersen