Update multiple_alerts_elastic_defend_panw_fortigate_by_host.toml

Samirbous · Samirbous · commit f7929a7aef3b · 2025-11-18T17:22:33.000Z
diff --git a/rules/cross-platform/multiple_alerts_elastic_defend_panw_fortigate_by_host.toml b/rules/cross-platform/multiple_alerts_elastic_defend_panw_fortigate_by_host.toml
@@ -34,7 +34,7 @@ FROM logs-endpoint.alerts-default-*, logs-panw.panos-default-*, logs-fortinet_fo
 | WHERE
         // PANW suspicious events
         (event.dataset == "panw.panos" and
-         event.action in ("virus_detected", "wildfire_virus_detected", "c2_communication", "spyware_detected", "large_upload", "denied")) or
+         event.action in ("virus_detected", "wildfire_virus_detected", "c2_communication", "spyware_detected", "large_upload", "denied") or network.application in ("dns-over-https", "ms-dc-replication")) or
 
         // Fortigate suspicious events
         (event.dataset == "fortinet_fortigate.log" and
