Tons of Alerts Using "Threat Intel Indicator Match"

Hello Elastic Community!!

in the last few days I have received a ton of alerts using "Threat Intel Indicator match"

it is matching specific ports with specific Ip addresses.

however, after researching, I have found these alerts are being generated from a server running azure ad connect. it is matching the source.ip to 127.0.0.1 and soure.ports are between the ranges of 49152 - 65535 which also happens to be the ports that rpc uses during password sync...every 15 minutes.

my question is I am trying to create a exception that looks like this

source.ip is 127.0.0.1 and host.name is "server.name" source.port is one of 49152 - 65535

the problem I am having is how do I create a range of ports in exceptions?

would I need to create a list under manage rules?

Rule exceptions and value lists | Elastic Security Solution [8.4] | Elastic

hi, @Viral-Technology

According to Rule exceptions | Elastic Security Solution [8.11] | Elastic
value list exceptions can be created only for 4 types of fields:

You can create value lists with these types:

• Keywords (many ECS fields are keywords)
• IP Addresses
• IP Ranges
• Text

and source.port has mapping type of long according to Source Fields | Elastic Common Schema (ECS) Reference [8.4] | Elastic

Are there any other properties in events that can be used to identify which ones can be filtered, apart from source.port?

sadly not for this particular rule, it is alerting when source ip and source.port match. I'll look into maybe trying to figure out how to disable that particular rule.

There is a possible workaround:

Duplicate this prebuilt rule and then add filters on rule edit page, that restricts port values

Screenshot 2022-10-18 at 09.42.392162×1800 341 KB

Vitalii,
Awesome! thank you so much. I have a ton to learn and we will be completing some of the training soon!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.