How to handle network.direction:unknown?

I'm getting detections where the network.direction is "unknown". Upon investigation this is just the source port from a vulnerability scanner (Detectify) :

  "destination": {
    "bytes": 4128,
    "ip": "52.17.98.131",
    "port": 5802,
    "packets": 33},
  "source": {
    "port": 80,
    "packets": 19,
    "bytes": 7590,
    "ip": "10.128.0.2"
  }

Obviously this looks like a false positive - if the engine isn't sure whether the source is destination or vice-versa there are going to be a lot of false positives. Is it correct to assume this is being alerted out of caution so that a human can investigate?

Is it correct to assume this is being alerted out of caution so that a human can investigate?

I'd have to ask @Craig_Chamberlain if that is for sure the reasoning, but I can say for sure that if you do not want to see detections for direction unknown you can copy -> and then edit the rule to make changes to remove that case or even make it more strict to only pay attention to that use case when it's a particular IP range or set of hosts (for example).

This conversation might be useful:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.