Hello Elastic Community!!
in the last few days I have received a ton of alerts using "Threat Intel Indicator match"
it is matching specific ports with specific Ip addresses.
however, after researching, I have found these alerts are being generated from a server running azure ad connect. it is matching the source.ip to 127.0.0.1 and soure.ports are between the ranges of 49152 - 65535 which also happens to be the ports that rpc uses during password sync...every 15 minutes.
my question is I am trying to create a exception that looks like this
source.ip is 127.0.0.1 and host.name is "server.name" source.port is one of 49152 - 65535
the problem I am having is how do I create a range of ports in exceptions?
would I need to create a list under manage rules?
Rule exceptions and value lists | Elastic Security Solution [8.4] | Elastic
According to Rule exceptions and value lists | Elastic Security Solution [8.4] | Elastic
value list exceptions can be created only for 4 types of fields:
You can create value lists with these types:
Keywords (many ECS fields are keywords)
source.port has mapping type of
long according to Source Fields | Elastic Common Schema (ECS) Reference [8.4] | Elastic
Are there any other properties in events that can be used to identify which ones can be filtered, apart from
sadly not for this particular rule, it is alerting when source ip and source.port match. I'll look into maybe trying to figure out how to disable that particular rule.
There is a possible workaround:
Duplicate this prebuilt rule and then add filters on rule edit page, that restricts port values
Awesome! thank you so much. I have a ton to learn and we will be completing some of the training soon!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.