Has anyone noticed a "HUGE" amount of false positives that occur when enabling the Detection Rule [Threat Intel Filebeat Module Indicator Match]. This rule is tagged as follows
Continuous Monitoring
Elastic
Elastic Endgame
Monitoring
Network
SecOps
Windows
I don't have Elastic Endgame, I just have the free elastic security endpoint agent. I am wondering if this detection rule, requires Endgame and this is why I am getting so many false positives???
If you're getting detections for datasources you're not ingesting I'd be curious to see what events triggered the alert.
There was a recent thread discussing the threat intel module alerts and the consensus is to remove the indexes you're not using or break them into smaller/separate alerts.
I can say I haven't seen any FPs from my rule, FWIW.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.