Update command_and_control_suricata_elastic_defend_c2.toml

Author: Samirbous

rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml

@@ -38,13 +38,7 @@ tags = [
 type = "eql"
 query = '''
 sequence by source.port, source.ip, destination.ip with maxspan=1m
- [network where event.module == "suricata" and source.ip != nulll and destination.ip != null and
-  message in ("Command and Control Traffic", "Potentially Bad Traffic", "A Network Trojan was detected", "Detection of a Network Scan",
-              "Domain Observed Used for C2 Detected", "Malware Command and Control Activity Detected", "Misc Attack",
-              "Device Retrieving External IP Address Detected", "Attempted Information Leak", "Web Application Attack",
-              "SQL Injection Attempt", "Attempted User Privilege Gain", "Attempted Administrator Privilege Gain",
-              "Executable code was detected", "Webshell Tool Traffic", "Possibly Unwanted Program Detected", "A system call was detected",
-              "Unknown Traffic", "Crypto Currency Mining Activity Detected", "Possible Social Engineering Attempted")]
+ [network where event.module == "suricata" and source.ip != null and destination.ip != null]
  [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
 '''
 note = """## Triage and analysis