We've upgraded our stack to 7.6.0 yesterday, and we love the new Detections mechanism! I'm aware these are in beta, but some of the definitions have a boolean 'or' where there should be an 'and'. This is particularly where the rule is ' from/to the Internet'. eg. SMB Activity to the Internet defi…

SIEM detections false positive

Nathan_Reese (Nathan Reese) February 14, 2020, 1:14pm 2

@ danielsnelling I am changing the category from Kibana to SIEM so the SIEM team can pick up your question.

Topic		Replies	Views
False Positive - RPC (Remote Procedure Call) to the Internet (Kuery) SIEM	3	446	June 3, 2020
How to handle network.direction:unknown? SIEM	3	520	May 2, 2020
False positive on SIEM rule SSH to the Internet SIEM	4	497	June 15, 2020
SSH (Secure Shell) to the Internet "rule discrepancy?" SIEM	3	535	August 3, 2020
SIEM can't detect DNS activity to Internet SIEM	21	1495	July 15, 2020

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.

SIEM detections false positive

Related topics