Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

Samirbous · Samirbous · commit 1bfb02c118ac · 2025-11-18T18:16:09.000Z
diff --git a/rules/cross-platform/multiple_alerts_elastic_defend_panw_fortigate_by_host.toml b/rules/cross-platform/multiple_alerts_elastic_defend_panw_fortigate_by_host.toml
@@ -58,10 +58,10 @@ FROM logs-* metadata _id
         Esql.process_executable_values = VALUES(process.executable),
         Esql.host_id_values = VALUES(host.id),
         Esql.user_name_values = VALUES(user.name),
-        DD = VALUES(destination.ip)
+        Esql.destination_ip_values = VALUES(destination.ip)
         by Esql.source_ip
 | where Esql.event_module_distinct_count >= 2
-| keep Esql.alerts_count, Esql.source_ip, Esql.host_id_values, Esql.user_name_values, Esql.event_module_values, Esql.message_values, Esql.process_executable_values
+| keep Esql.alerts_count, Esql.source_ip, Esql.destination_ip_values, Esql.host_id_values, Esql.user_name_values, Esql.event_module_values, Esql.message_values, Esql.process_executable_values
 '''
 note = """## Triage and analysis
 
