Update command_and_control_suricata_elastic_defend_c2.toml

Samirbous · Samirbous · commit ca8d32d8f9c4 · 2025-12-10T14:45:44.000Z
diff --git a/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml b/rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml
@@ -38,7 +38,7 @@ tags = [
 type = "eql"
 query = '''
 sequence by source.port, source.ip, destination.ip with maxspan=1m
- [network where event.module == "suricata" and event.category == "intrusion_detection" and source.ip != null and destination.ip != null]
+ [network where event.module == "suricata" and event.category == "intrusion_detection" and event.kind == "alert" and source.ip != null and destination.ip != null]
  [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
 '''
 note = """## Triage and analysis
