Rule Tuning Analysis

Rule ID: 8c1bdde8-4204-45c0-9e0c-c85ca3902488
Rule Name: RDP (Remote Desktop Protocol) from the Internet
Rule Type: query

Classification

Alert Telemetry

Analysis Flags

• 🔴 Noisy on Latest Version: ✅ Yes
• 🔴 Widespread False Positive: ❌ No
• ⚠️ Version Regression: ❌ No
• ⚠️ Stale and Noisy: ❌ No
• ⚠️ Low Version / High Volume: ❌ No
• ℹ️ Low Activity: ❌ No

Recommendation

Action: Exclude PAN-OS denied/dropped traffic and narrow dataset selection to reduce scan noise while keeping real exposed/allowed RDP connections.

Rationale: The rule correctly identifies inbound RDP from the Internet to private addresses but is overly broad for PAN-OS logs, alerting on massive volumes of firewall-denied/dropped attempts. Sample events show panw.panos records with event.type=denied/event.action=flow_dropped/outcome=failure driving noise. Tightening the query to exclude PAN-OS denies/drops and narrowing to specific datasets will significantly reduce noise while preserving detections of actual exposed/allowed RDP connections.

Query Modifications

PAN-OS denied/dropped Internet scans inflate alert volume. (Impact: both)

Current:

… and (destination.port:3389 or event.dataset:zeek.rdp) and …

Modify →

… and (destination.port:3389 or event.dataset:zeek.rdp) and not (event.dataset: panw.panos and (event.type: denied or event.outcome: failure or event.action: (flow_dropped or deny))) …

Events 3–4 show panw.panos with event.type: denied / action: flow_dropped / outcome: failure. Excluding these suppresses high-volume scan noise while preserving actual exposed/allowed RDP connections (e.g., Events 1–2, 5).

Broad dataset predicate uses event.category which can pull non-relevant docs and adds cost. (Impact: performance)

Current:

(event.dataset: network_traffic.flow or (event.category: (network or network_traffic)))

Modify →

(event.dataset: (network_traffic.flow or panw.panos or zeek.rdp))

Restricts matching to the intended network flow sources and PAN-OS/Zeek RDP telemetry, avoiding generic event.category matches and improving precision and query efficiency.

Exception Recommendations

Add exception: event.type is "denied" (Confidence: HIGH)

Events 3–4 are panw.panos with event.type: denied to dst.port 3389; these are firewall blocks, not successful exposure. Across customers, PAN-OS produces large volumes of denied RDP probes from Internet scans.

Modify →

and event.type is "denied"

Add exception: event.action is "flow_dropped" (Confidence: HIGH)

Events 3–4 show event.action: flow_dropped for inbound 3389 attempts; dropping these is benign and high-volume. Removing them prevents scan noise from triggering alerts.

Modify →

and event.action is "flow_dropped"

Add exception: event.outcome is "failure" (Confidence: HIGH)

Blocked/failed attempts (event.outcome: failure) dominate scan noise in PAN-OS logs as seen in Events 3–4. Excluding failures focuses alerts on allowed/established connections indicative of exposure.

Modify →

and event.outcome is "failure"

Field-Level Recommendations

This issue was generated by the GenAI Tradecraft Rule Tuning Advisor.
Analysis timestamp: 2025-12-21T06:08:33.356243