Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] Agent Spoofing - Multiple Hosts Using Same Agent #3932

Open
tehbooom opened this issue Jul 30, 2024 · 0 comments
Open

[Rule Tuning] Agent Spoofing - Multiple Hosts Using Same Agent #3932

tehbooom opened this issue Jul 30, 2024 · 0 comments
Labels
backlog community Rule: Tuning tweaking or tuning an existing rule Team: TRADE

Comments

@tehbooom
Copy link
Member

Link to Rule

No response

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

Related to #3613

Receiving a very high rate of false positives for this rule.
The host.id is null for these alerts.

Rule is up to date with changes from #3790

We ran the following ES|QL query and see no datasets causing the alerts

from logs-* 
| where host.id is not null and elastic_agent.id is not null
| stats hosts_per_agent = count_distinct
(host.id) by elastic_agent.id, data_stream.dataset
| where hosts_per_agent > 1 
| sort hosts_per_agent desc | keep hosts_per_agent, data_stream.dataset

Example Data

No response
@tehbooom tehbooom added Rule: Tuning tweaking or tuning an existing rule Team: TRADE labels Jul 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog community Rule: Tuning tweaking or tuning an existing rule Team: TRADE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Mikaayenson @tehbooom