Update rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

Co-authored-by: Mika Ayenson, PhD <[email protected]>

Author: Samirbous

rules/cross-platform/command_and_control_socks_fortigate_endpoint.toml

@@ -39,7 +39,7 @@ tags = [
 type = "eql"
 query = '''
 sequence by source.port, source.ip, destination.ip with maxspan=1m
- [network where event.module == "fortinet_fortigate" and event.action == "signature" and network.application in ("SOCKS4", "SOCKS5")]
+ [network where event.dataset == "fortinet_fortigate.log" and event.action == "signature" and network.application in ("SOCKS4", "SOCKS5")]
  [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
 '''
 note = """## Triage and analysis