Skip to content

Commit

Permalink
Tune rule to exclude forwarded events. (elastic#3790)
Browse files Browse the repository at this point in the history
Events containing "forwarded" as a tag may include host information
that is not related to the host running elastic agent. This triggers
false positive alerts. Examples include Entity Analytics integrations,
Palo Alto GlobalProtect activity, and M365 Defender device events.

Co-authored-by: Ruben Groenewoud <[email protected]>
  • Loading branch information
jvalente-salemstate and Aegrah authored Jun 25, 2024
1 parent 2708a89 commit 0726ce4
Showing 1 changed file with 2 additions and 2 deletions.
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/14"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -29,7 +29,7 @@ timestamp_override = "event.ingested"
type = "threshold"

query = '''
event.agent_id_status:*
event.agent_id_status:* and not tags:forwarded
'''


Expand Down

0 comments on commit 0726ce4

Please sign in to comment.