RDP from Internet rule triggering on bogon ip address


Noticed the SIEM rule" RDP (Remote Desktop Protocol) from the Internet" triggered on source.ip: "" which is a bogon link-local address.


So this should not be considered as "from the Internet" and so "" should be excluded in the query?

event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and not source.ip:( or or and destination.ip:( or or or or "::1")



Hi Willem, thanks for submitting this rule improvement suggestion!

I've created an issue in our public detection-rules repo, passing along your suggested improvement

BTW, you can create issues directly in that repo if you prefer, as it is a public repo!

Thanks for your continued contributions to our community!

Well it's kind of confusing, because sometimes when I create some GH issue, I get the message I need to create a forum post first...

Anyway, thanks for creating the GH issue!

By the way, the same consideration might be valid for other "from / to the Internet" rules.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.