main/Packetbeat/200300-packetbeat_rules.xml

<group name="linux,packetbeat,">
    <rule id="200300" level="3">
        <decoded_as>json</decoded_as>
        <field name="method">QUERY</field>
        <field name="dns.resolved_ip">\.+</field>
        <mitre>
          <id>T1071</id>
        </mitre>
        <description>Linux: DNS Query to $(dns.question.name)</description>
        <options>no_full_log</options>
        <group>dns</group>
    </rule>
    <rule id="200301" level="3">
        <decoded_as>json</decoded_as>
        <field name="event.dataset">tls</field>
        <field name="tls.established">true</field>
        <mitre>
          <id>T1071</id>
        </mitre>
        <description>Linux: HTTPS connection established to $(tls.client.server_name)</description>
        <options>no_full_log</options>
        <group>tls</group>
    </rule>
    <rule id="200302" level="3">
        <decoded_as>json</decoded_as>
        <field name="type">http</field>
        <mitre>
          <id>T1071</id>
        </mitre>
        <description>Linux: HTTP connection established to $(destination.ip)</description>
        <options>no_full_log</options>
        <group>http</group>
    </rule>
<!-- EXCLUDE PACKETBEAT ICMP -->

    <rule id="200303" level="1">
        <decoded_as>json</decoded_as>
        <field name="network.transport">icmp</field>
        <mitre>
          <id>T1071</id>
        </mitre>
        <description>Packetbeat: ICMP flow to $(destination.ip)</description>
        <options>no_full_log</options>
        <group>icmp</group>
    </rule>

</group>

<!-- Rule to exclude noisy logs -->
<group name="linux,packetbeat,exclude,">
    <rule id="200310" level="1" frequency="2" timeframe="900">
        <if_matched_sid>200300</if_matched_sid>
        <same_field>dns.question.name</same_field>
        <mitre>
          <id>T1071</id>
        </mitre>
        <description>Linux: Frequent DNS Query</description>
        <options>no_log</options>
        <group>dns</group>
    </rule>
    <rule id="200311" level="1" frequency="2" timeframe="900">
        <if_matched_sid>200301</if_matched_sid>
        <same_field>tls.client.server_name</same_field>
        <mitre>
          <id>T1071</id>
        </mitre>
        <description>Linux: Frequent HTTPS Connection</description>
        <options>no_full_log</options>
        <group>tls</group>
    </rule>
    <rule id="200312" level="1" frequency="2" timeframe="900">
        <if_matched_sid>200302</if_matched_sid>
        <same_field>destination.ip</same_field>
        <mitre>
          <id>T1071</id>
        </mitre>
        <description>Linux: Frequent HTTP Connection</description>
        <options>no_full_log</options>
        <group>http</group>
    </rule>
</group>