How to handle network.direction:unknown?

hilt86 · April 2, 2020, 12:15am

I'm getting detections where the network.direction is "unknown". Upon investigation this is just the source port from a vulnerability scanner (Detectify) :

  "destination": {
    "bytes": 4128,
    "ip": "52.17.98.131",
    "port": 5802,
    "packets": 33},
  "source": {
    "port": 80,
    "packets": 19,
    "bytes": 7590,
    "ip": "10.128.0.2"
  }

Obviously this looks like a false positive - if the engine isn't sure whether the source is destination or vice-versa there are going to be a lot of false positives. Is it correct to assume this is being alerted out of caution so that a human can investigate?

Frank_Hassanabad · April 4, 2020, 4:25pm

Is it correct to assume this is being alerted out of caution so that a human can investigate?

I'd have to ask @Craig_Chamberlain if that is for sure the reasoning, but I can say for sure that if you do not want to see detections for direction unknown you can copy -> and then edit the rule to make changes to remove that case or even make it more strict to only pay attention to that use case when it's a particular IP range or set of hosts (for example).

Frank_Hassanabad · April 4, 2020, 4:29pm

This conversation might be useful:

system · May 2, 2020, 4:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SIEM detections false positive SIEM	5	950	April 25, 2020
False positive on SIEM rule SSH to the Internet SIEM	4	475	June 15, 2020
False Positive - RPC (Remote Procedure Call) to the Internet (Kuery) SIEM	3	417	June 3, 2020
SIEM - Network scan SIEM	4	1864	August 19, 2022
False Positives in the 1000's SIEM	2	503	October 21, 2021

How to handle network.direction:unknown?

Related topics