SIEM detections false positive

We've upgraded our stack to 7.6.0 yesterday, and we love the new Detections mechanism!

I'm aware these are in beta, but some of the definitions have a boolean 'or' where there should be an 'and'.

This is particularly where the rule is ' from/to the Internet'.

eg. SMB Activity to the Internet definition is 'network.transport: tcp and destination.port: (139 or 445) and ( network.direction: outbound or ( source.ip: ( or or and not destination.ip: ( or or ) )'

This will result in detections for ' to' when it shouldn't.
I've highlighted the 'or' that should be changed to 'and'

@ danielsnelling I am changing the category from Kibana to SIEM so the SIEM team can pick up your question.

Glad to hear you are liking the detection engine. This is a known issue with use of the network.direction field that is fixed in 7.61. The workaround is to duplicate the rule and remove the network.direction test. This issue is also discussed here:

I've read through that bug, and the proposed fix.
The fix seems to be wanting to completely ignore signals from sysmon (usually stored in winlogbeat-*), and take the view that the signal only comes from a firewall log and not an endpoint.

The rule will work (from a monitored endpoint point of view) if the logic changes the 'or' to an 'and'.
ie SMB Activity to the Internet:
If the traffic is tcp and the destination port is 139/445, and the traffic is outbound and the destination ip isn't RFC1918, then Alert!