Update rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml

Co-authored-by: Mika Ayenson, PhD <[email protected]>

Author: Samirbous

rules/cross-platform/command_and_control_suricata_elastic_defend_c2.toml

@@ -38,7 +38,7 @@ tags = [
 type = "eql"
 query = '''
 sequence by source.port, source.ip, destination.ip with maxspan=1m
- [network where event.module == "suricata" and event.kind == "alert" and event.severity != 3 and source.ip != null and destination.ip != null]
+ [network where event.dataset == "suricata.eve" and event.kind == "alert" and event.severity != 3 and source.ip != null and destination.ip != null]
  [network where event.module == "endpoint" and event.action in ("disconnect_received", "connection_attempted")]
 '''
 note = """## Triage and analysis