security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Support ECS 1.11 field for IM rule (#1560)

Browse Source 
* Support ecs field for IM rule

* update time interval

* Change additional lookback to 5 minutes

* Add old rule

* Add newline

* Update rules/cross-platform/threat_intel_module_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Remove im legacy rule

* Udpdate name and description

* Remove min_stack_comment

* Keep 2 IM rule

* add min_stack_comments to rule

* Update rules/cross-platform/threat_intel_indicator_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adds new rules

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ece Özalp <ozale272@newschool.edu>
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>

(cherry picked from commit c619844b0d)
This commit is contained in:
Khristinin Nikita
2021-11-30 19:25:42 +01:00
committed by github-actions[bot]
parent 67f77a3fcb
commit 33030f09fa
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/threat_intel_module_match.toml → rules/cross-platform/threat_intel_filebeat7x.toml
+4 -4
View File
@@ -6,14 +6,14 @@ updated_date = "2021/10/29"
[rule]
author = ["Elastic"]
description = """
This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations.
This rule is triggered when indicators from the Threat Intel Filebeat module (v7.x) has a match against local file or network observations.
"""
from = "now-65m"
index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
interval = "1h"
language = "kuery"
license = "Elastic License v2"
name = "Threat Intel Filebeat Module Indicator Match"
name = "Threat Intel Filebeat Module (v7.x) Indicator Match"
note = """## Triage and Analysis
### Investigating Threat Intel Indicator Matches
@@ -66,7 +66,7 @@ timeline_title = "Generic Threat Match Timeline"
type = "threat_match"
threat_index = [ "filebeat-*"]
threat_indicator_path = ""
threat_indicator_path = "threatintel.indicator"
threat_language = "kuery"
threat_query = '''
@@ -178,4 +178,4 @@ value = "threatintel.indicator.url.full"
[[rule.threat_mapping.entries]]
field = "registry.path"
type = "mapping"
value = "threatintel.indicator.registry.path"
value = "threatintel.indicator.registry.path"