False Positive - RPC (Remote Procedure Call) to the Internet (Kuery)

Gary_Blackwell · May 5, 2020, 3:02pm

There is a built-in detection rule watching for TCP traffic on port 135 to the Internet.

network.transport: tcp and destination.port: 135 and (network.direction: outbound or (source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)))

However, this rule has triggered with traffic from local source IP 192.168.1.4 to destination 192.168.1.125 on port 135.

Thanks,
Gary

Gary_Blackwell · May 5, 2020, 3:22pm

I answered my own question.

Frank_Hassanabad · May 6, 2020, 8:46pm

Thanks for finding it and posting the solution to your own thread. Appreciate it!

system · June 3, 2020, 8:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SIEM detections false positive SIEM	5	950	April 25, 2020
False positive on SIEM rule SSH to the Internet SIEM	4	475	June 15, 2020
SIEM open rules Elastic Security	3	607	October 7, 2021
[Elastic Security/SIEM] - Detect if a source IP contacts more destination IPs or more destination ports Elastic Security	2	91	August 21, 2024
How to handle network.direction:unknown? SIEM	3	500	May 2, 2020

False Positive - RPC (Remote Procedure Call) to the Internet (Kuery)

Related topics