security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add default timestamp condition for threat_query (#1486)

Browse Source 
(cherry picked from commit 10a977914b)
This commit is contained in:
Khristinin Nikita
2021-09-20 21:19:52 +02:00
committed by github-actions[bot]
parent 143afc4f38
commit 2bb9fdb724
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/threat_intel_module_match.toml
+3 -3
View File
@@ -69,11 +69,11 @@ threat_index = [ "filebeat-*"]
threat_indicator_path = ""
threat_language = "kuery"
threat_query = """
event.module:threatintel and
threat_query = '''
@timestamp >= "now-30d" and event.module:threatintel and
(threatintel.indicator.file.hash.*:* or threatintel.indicator.file.pe.imphash:* or threatintel.indicator.ip:* or
threatintel.indicator.registry.path:* or threatintel.indicator.url.full:*)
"""
'''
query = """
file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*