[Rule Tuning] SMB (Windows File Sharing) Activity to the Internet (c82b2bd8-d701-420c-ba43-f11a155b681a) #5490
Description
Rule Tuning Analysis
Rule ID: c82b2bd8-d701-420c-ba43-f11a155b681a
Rule Name: SMB (Windows File Sharing) Activity to the Internet
Rule Type: query
Classification
| Metric | Value |
|---|---|
| Category | NOISY_PERFORMANT |
| Priority | MEDIUM |
| Tuning Score | 61.73 |
| Version Status | ✅ Established (24 release cycles) |
Alert Telemetry
| Metric | Value |
|---|---|
| Total Alerts (3d) | 35,553 |
| Unique Clusters | 44 |
| Cluster Coverage | 1.8% |
| Daily Average | 11851 |
| Days Active | 3 |
| Coefficient of Variation | 0.56 (MODERATE) |
Analysis Flags
- 🔴 Noisy on Latest Version: ✅ Yes
- 🔴 Widespread False Positive: ❌ No
⚠️ Version Regression: ❌ No⚠️ Stale and Noisy: ❌ No⚠️ Low Version / High Volume: ❌ No- ℹ️ Low Activity: ❌ No
Recommendation
Action: Exclude incomplete single-packet PAN-OS flows and scanner policy names by adding precise KQL negations to the rule.
Rationale: The rule correctly looks for internal SMB (139/445) to the Internet, but the majority of alerts are single-packet, PAN-OS-classified 'incomplete' flows that strongly indicate scanner or failed handshake noise (e.g., InfoBlox-Scan-1). Tightening the query to exclude incomplete/1-packet flows and known scanner policy names will substantially reduce noise while preserving meaningful SMB connections or SMB-parsed sessions (e.g., zeek.smb).
Query Modifications
Scanner/failed handshakes (‘incomplete’) from PAN-OS produce single-packet SMB attempts that overwhelm the rule. (Impact: accuracy)
Current:
… and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) …Modify →
… and network.transport: tcp and (destination.port:(139 or 445) or event.dataset: zeek.smb)
and not (event.dataset: panw.panos and network.application: "incomplete")Targets a concrete benign pattern evidenced in all samples, preserving legitimate SMB sessions while removing scanner/failed handshakes from PAN-OS.
Single-packet SYNs with ~60–64 bytes are typical noise (scans/timeouts) across firewall logs. (Impact: both)
Current:
No packet/byte-based gatingModify →
… and not (network.packets <= 2 and network.bytes <= 128)Keeps sessions that progressed beyond initial SYN/SYN-ACK, aligned with exfiltration/real SMB use cases while filtering trivial noise.
Known scanner policy names introduce systemic false positives. (Impact: accuracy)
Current:
No policy-name filterModify →
… and not rule.name: ("InfoBlox*" or "Infoblox*")Removes clear scanner-origin traffic without impacting attacker SMB sessions that would not bear these policy names.
The first clause redundantly mixes dataset and category checks. (Impact: performance)
Current:
(event.dataset: network_traffic.flow or (event.category: (network or network_traffic)))Modify →
event.category: networkevent.category: network is sufficient for included indexes and reduces boolean expansion; keep event.dataset: zeek.smb in the SMB clause.
Exception Recommendations
Add exception: network.application is "incomplete" (Confidence: HIGH)
All 5 samples show network.application: 'incomplete' with 1 packet and ~60–64 bytes from panw.panos, indicative of scanner/failed handshakes rather than real SMB sessions. Excluding this for PAN-OS traffic removes bulk noise while preserving real SMB sessions parsed by zeek.smb.
Modify →
and network.application is "incomplete"Add exception: rule.name wildcard "InfoBlox*" (Confidence: MEDIUM)
Multiple samples contain rule.name: 'InfoBlox-Scan-1', which is characteristic of InfoBlox scanning activity. Excluding these firewall policy-named scanner flows reduces systematic scan noise.
Modify →
and rule.name wildcard "InfoBlox*"Field-Level Recommendations
| Field | Value | Alert % | Cluster % | Confidence | Type |
|---|---|---|---|---|---|
network.application |
incomplete |
0.0% | 75.0% | HIGH | EXCEPTION |
rule.name |
InfoBlox* |
0.0% | 25.0% | MEDIUM | EXCEPTION |
destination.ip |
193.23.168.37 |
128420.0% | 0.0% | LOW | CUSTOMER_SPECIFIC |
event.dataset |
panw.panos |
124584.6% | 1.7% | LOW | CUSTOMER_SPECIFIC |
rule.name |
Outbound Catch-all |
108793.8% | 0.0% | LOW | CUSTOMER_SPECIFIC |
This issue was generated by the GenAI Tradecraft Rule Tuning Advisor.
Analysis timestamp: 2025-12-18T06:09:24.855891