Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

Samirbous · Samirbous · commit 36d85e88ea2e · 2025-11-18T18:02:28.000Z
diff --git a/rules/cross-platform/multiple_alerts_elastic_defend_panw_fortigate_by_host.toml b/rules/cross-platform/multiple_alerts_elastic_defend_panw_fortigate_by_host.toml
@@ -88,11 +88,10 @@ FROM logs-* metadata _id
         Esql.event_action_values = VALUES(event.action),
         Esql.process_executable_values = VALUES(process.executable),
         Esql.host_id_values = VALUES(host.id),
-        Esql.user_name_values = VALUES(user.name),
-        Esql.destination_ip_values = VALUES(destination.ip)
+        Esql.user_name_values = VALUES(user.name)
         by Esql.source_ip
 | where Esql.event_module_distinct_count >= 2
-| keep Esql.alerts_count, Esql.source_ip, Esql.destination_ip_values, Esql.host_id_values, Esql.user_name_values, Esql.event_module_values, Esql.message_values, Esql.process_executable_values
+| keep Esql.alerts_count, Esql.source_ip, Esql.host_id_values, Esql.user_name_values, Esql.event_module_values, Esql.message_values, Esql.process_executable_values
 ource_ip, Esql.destination_ip_values, Esql.host_id_values, Esql.user_name_values, Esql.event_module_values, Esql.message_values, Esql.process_executable_values
 '''
 note = """## Triage and analysis
