Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Tune rule to exclude forwarded events. (elastic#3790)
Events containing "forwarded" as a tag may include host information that is not related to the host running elastic agent. This triggers false positive alerts. Examples include Entity Analytics integrations, Palo Alto GlobalProtect activity, and M365 Defender device events. Co-authored-by: Ruben Groenewoud <[email protected]>
- Loading branch information