False Positives in the 1000's

Has anyone noticed a "HUGE" amount of false positives that occur when enabling the Detection Rule [Threat Intel Filebeat Module Indicator Match]. This rule is tagged as follows
Continuous Monitoring
Elastic
Elastic Endgame
Monitoring
Network
SecOps
Windows

I don't have Elastic Endgame, I just have the free elastic security endpoint agent. I am wondering if this detection rule, requires Endgame and this is why I am getting so many false positives???

If you're getting detections for datasources you're not ingesting I'd be curious to see what events triggered the alert.

There was a recent thread discussing the threat intel module alerts and the consensus is to remove the indexes you're not using or break them into smaller/separate alerts.

I can say I haven't seen any FPs from my rule, FWIW.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.