Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

Samirbous · Samirbous · commit 0bea5f8bb057 · 2025-11-18T18:14:18.000Z
diff --git a/rules/cross-platform/multiple_alerts_elastic_defend_panw_fortigate_by_host.toml b/rules/cross-platform/multiple_alerts_elastic_defend_panw_fortigate_by_host.toml
@@ -34,7 +34,7 @@ FROM logs-* metadata _id
 | WHERE
         // PANW suspicious events
         (event.dataset == "panw.panos" and
-         event.action in ("virus_detected", "wildfire_virus_detected", "c2_communication", "spyware_detected", "large_upload", "denied")) or
+         event.action in ("virus_detected", "wildfire_virus_detected", "c2_communication", "spyware_detected", "large_upload", "denied", "exploit_detected")) or
 
         // Fortigate suspicious events
         (event.dataset == "fortinet_fortigate.log" and
