security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Tune Threat Indicator Match Rules (#2957)

Browse Source 
* [Rule Tuning] Tune Threat Indicator Match Rules

* Update threat_intel_indicator_match_url.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2023-07-26 15:12:28 -03:00
committed by GitHub
parent b330cf9438
commit 0ff50acfd2
2 changed files with 7 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/threat_intel_indicator_match_hash.toml
+2 -8
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2023/05/22"
maturity = "production"
updated_date = "2023/06/27"
updated_date = "2023/07/24"
min_stack_comments = """
Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
general rules.
@@ -44,7 +44,7 @@ threat_query = '''
'''
query = """
file.hash.*:* or file.pe.imphash:* or process.hash.*:* or process.pe.imphash:* or dll.hash.*:* or dll.pe.imphash:*
file.hash.*:* or file.pe.imphash:* or process.hash.*:* or process.pe.imphash:* or dll.hash.*:*
"""
@@ -147,12 +147,6 @@ field = "process.hash.sha256"
type = "mapping"
value = "threat.indicator.file.hash.sha256"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "dll.pe.imphash"
type = "mapping"
value = "threat.indicator.file.pe.imphash"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "process.pe.imphash"
rules/cross-platform/threat_intel_indicator_match_url.toml
+5 -17
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2023/05/22"
maturity = "production"
updated_date = "2023/07/03"
updated_date = "2023/07/24"
min_stack_comments = """
Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
general rules.
@@ -39,11 +39,11 @@ threat_language = "kuery"
threat_query = '''
@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and
(threat.indicator.url.full:* or threat.indicator.url.domain:*) and not labels.is_ioc_transform_source:"true"
threat.indicator.url.full:* and not labels.is_ioc_transform_source:"true"
'''
query = """
url.full:* or url.domain:*
url.full:*
"""
@@ -94,18 +94,6 @@ value = "threat.indicator.url.full"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "url.domain"
field = "url.original"
type = "mapping"
value = "threat.indicator.url.domain"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "source.domain"
type = "mapping"
value = "threat.indicator.url.domain"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "destination.domain"
type = "mapping"
value = "threat.indicator.url.domain"
value = "threat.indicator.url.original"