[Rule Tuning] RPC (Remote Procedure Call) to the Internet (32923416-763a-4531-bb35-f33b9232ecdb) #5491
Description
Rule Tuning Analysis
Rule ID: 32923416-763a-4531-bb35-f33b9232ecdb
Rule Name: RPC (Remote Procedure Call) to the Internet
Rule Type: query
Classification
| Metric | Value |
|---|---|
| Category | NOISY_PERFORMANT |
| Priority | MEDIUM |
| Tuning Score | 61.36 |
| Version Status | ✅ Established (24 release cycles) |
Alert Telemetry
| Metric | Value |
|---|---|
| Total Alerts (3d) | 29,846 |
| Unique Clusters | 25 |
| Cluster Coverage | 1.0% |
| Daily Average | 9949 |
| Days Active | 3 |
| Coefficient of Variation | 0.60 (MODERATE) |
Analysis Flags
- 🔴 Noisy on Latest Version: ✅ Yes
- 🔴 Widespread False Positive: ❌ No
⚠️ Version Regression: ❌ No⚠️ Stale and Noisy: ❌ No⚠️ Low Version / High Volume: ❌ No- ℹ️ Low Activity: ❌ No
Recommendation
Action: Add KQL exclusions for PAN-OS incomplete flows, dropped/timeout actions, and a low-packet threshold to suppress handshake/scan noise while keeping established RPC to Internet.
Rationale: The rule is firing heavily on PAN-OS network flow logs showing TCP/135 attempts that never fully establish (network.application: "incomplete") and very low packet/byte volumes. This broad condition (any RFC1918 host to external TCP/135 or zeek.dce_rpc) captures transient/failed handshakes and dropped flows, creating substantial noise. Tightening the query to exclude incomplete/dropped flows and very low-packet traffic preserves real RPC exposure while reducing scan/handshake noise.
Query Modifications
PAN-OS incomplete application classification floods alerts with failed handshakes. (Impact: both)
Current:
(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) ...Modify →
and not (event.dataset:panw.panos and network.application:"incomplete")Failed handshakes/scans are classified as "incomplete"; excluding them focuses detection on established RPC sessions or traffic recognized by Zeek DCE/RPC.
Dropped/timeout flows generate noise and do not represent real exposure. (Impact: both)
Current:
No action-based filtering; includes flow_dropped/timeout.Modify →
and not event.action:(flow_dropped or timeout)Removes flows not successfully permitted through the firewall, aligning detection with actual RPC exposure.
Single-packet/very low-volume flows (typical scans) inflate alerts. (Impact: both)
Current:
No traffic volume threshold; 1–2 packet flows match equally.Modify →
and not (event.dataset:panw.panos and network.packets <= 2)Requires more than a couple of packets in PAN-OS flows, reducing SYN-only or brief attempts while retaining real RPC communication.
Exception Recommendations
Add exception: network.application is "incomplete" (Confidence: HIGH)
All 5 sample alerts show network.application: "incomplete" with 1–2 packets and 62/132 bytes, indicating failed handshakes or scans. Field diversity is dominated by PAN-OS flows, and this pattern is a common benign noise source in firewall telemetry.
Modify →
and network.application is "incomplete"Add exception: event.action is one of "flow_dropped, timeout" (Confidence: MEDIUM)
Field diversity shows significant presence of flow_dropped and timeout. These are not established connections and should be excluded to focus on successful RPC exposure.
Modify →
and event.action is one of "flow_dropped, timeout"Field-Level Recommendations
| Field | Value | Alert % | Cluster % | Confidence | Type |
|---|---|---|---|---|---|
network.application |
incomplete |
0.0% | 70.0% | HIGH | EXCEPTION |
event.action |
flow_dropped, timeout |
0.0% | 40.0% | MEDIUM | EXCEPTION |
user.domain |
itsyork |
181357.1% | 0.0% | LOW | CUSTOMER_SPECIFIC |
event.dataset |
panw.panos |
141156.7% | 0.9% | LOW | CUSTOMER_SPECIFIC |
user.domain |
redlobster |
126171.4% | 0.0% | LOW | CUSTOMER_SPECIFIC |
This issue was generated by the GenAI Tradecraft Rule Tuning Advisor.
Analysis timestamp: 2025-12-18T06:09:24.872046