False Positive - RPC (Remote Procedure Call) to the Internet (Kuery)

There is a built-in detection rule watching for TCP traffic on port 135 to the Internet.

network.transport: tcp and destination.port: 135 and (network.direction: outbound or (source.ip:( or or and not destination.ip: ( or or

However, this rule has triggered with traffic from local source IP to destination on port 135.


I answered my own question.

Thanks for finding it and posting the solution to your own thread. Appreciate it!