[Proposal] Break Threat Intel Indicator Match rules into Indicator-type rules (#2777)

* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules

* .

* Update threat_intel_indicator_match_hash.toml

* Update to include expiring rules, exclude expiring indexes

* .

* Apply suggestions from code review

* Push changes

* Update pyproject.toml

* Revert "Update pyproject.toml"

This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.

* Update pyproject.toml

* Update integration-schemas.json.gz

* Revert "Update integration-schemas.json.gz"

This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.

* Revert integrations-manifests to the one from main

* Fix maturity

* Update Name

* Update ignore_ids with the indicator rules guid

* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml

* Make changes to use labels

* Update non-ecs-schema.json

* Update rules/cross-platform/threat_intel_fleet_integrations.toml

* Apply suggestions from code review

* Backport to 8.5

* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators

* Update threat_intel_indicator_match_hash.toml

* Update threat_intel_indicator_match_url.toml

* Update threat_intel_indicator_match_url.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

detection_rules/etc/non-ecs-schema.json

@@ -59,7 +59,8 @@
     "powershell.file.script_block_text": "text"
   },
   "filebeat-*": {
-    "o365.audit.NewValue": "keyword"
+    "o365.audit.NewValue": "keyword",
+    "labels.is_ioc_transform_source": "keyword"
   },
   "logs-endpoint.events.*": {
     "process.Ext.token.integrity_level_name": "keyword",
@@ -122,5 +123,8 @@
     "google_workspace.drive.visibility": "keyword",
     "google_workspace.token.client.id": "keyword",
     "google_workspace.token.scope.data.scope_name": "keyword"
+  },
+  "logs-ti_*": {
+    "labels.is_ioc_transform_source": "keyword"
   }
 }

rules/cross-platform/threat_intel_filebeat8x.toml

@@ -1,21 +1,23 @@
 [metadata]
 creation_date = "2021/11/24"
 maturity = "production"
-updated_date = "2023/06/22"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
+updated_date = "2023/06/27"
+min_stack_comments = "Updating the rule for 8.5+ users before deprecation."
+min_stack_version = "8.5.0"
 
 [rule]
 author = ["Elastic"]
 description = """
 This rule is triggered when indicators from the Threat Intel Filebeat module (v8.x) has a match against local file or network observations.
+
+This rule was deprecated. See the Setup section for more information and alternative rules.
 """
 from = "now-65m"
 index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
 interval = "1h"
 language = "kuery"
 license = "Elastic License v2"
-name = "Threat Intel Filebeat Module (v8.x) Indicator Match"
+name = "Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match"
 note = """## Triage and Analysis
 
 ### Investigating Threat Intel Indicator Matches
@@ -30,20 +32,32 @@ If an indicator matches a local observation, the following enriched fields will
 - `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation
 - `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation
 
-#### Possible investigation steps:
+#### Possible investigation steps
+
 - Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched and by viewing the source of that activity.
 - Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.
 - Consider the user and their role within the company: is this something related to their job or work function?
 
 ### False Positive Analysis
+
 - For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.
 - Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their way into indicator lists creating the potential for false positives.
 - It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.
 
 ### Response and Remediation
+
 - If suspicious or malicious behavior is observed, take immediate action to isolate activity to prevent further post-compromise behavior.
 - One example of a response if a machine matched a command and control IP address would be to add an entry to a network device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.
 - Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined, reviewing current running processes for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement.
+
+## Setup
+
+This rule was deprecated in the 8.8 version of the Elastic Stack for performance reasons. Users using 8.8+ versions should disable this rule and enable indicator-based rules instead:
+
+* Threat Intel IP Address Indicator Match - 0c41e478-5263-4c69-8f9e-7dfd2c22da64
+* Threat Intel Hash Indicator Match - aab184d3-72b3-4639-b242-6597c99d8bca
+* Threat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60
+* Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3
 """
 references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"]
 risk_score = 99
@@ -54,7 +68,7 @@ timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
 timeline_title = "Generic Threat Match Timeline"
 type = "threat_match"
 
-threat_index = [ "filebeat-8*"]
+threat_index = ["filebeat-8*"]
 threat_indicator_path = "threat.indicator"
 threat_language = "kuery"
 

rules/cross-platform/threat_intel_fleet_integrations.toml

@@ -1,21 +1,23 @@
 [metadata]
 creation_date = "2021/04/21"
 maturity = "production"
-updated_date = "2023/06/22"
-min_stack_comments = "New fields added: required_fields, related_integrations, setup"
-min_stack_version = "8.3.0"
+updated_date = "2023/06/27"
+min_stack_comments = "Updating the rule for 8.5+ users before deprecation."
+min_stack_version = "8.5.0"
 
 [rule]
 author = ["Elastic"]
 description = """
 This rule is triggered when indicators from the Threat Intel integrations have a match against local file or network observations.
+
+This rule was deprecated. See the Setup section for more information and alternative rules.
 """
 from = "now-65m"
 index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
 interval = "1h"
 language = "kuery"
 license = "Elastic License v2"
-name = "Threat Intel Indicator Match"
+name = "Deprecated - Threat Intel Indicator Match"
 note = """## Triage and Analysis
 
 ### Investigating Threat Intel Indicator Matches
@@ -30,20 +32,32 @@ If an indicator matches a local observation, the following enriched fields will
 - `threat.indicator.matched.field` - this identifies the indicator field that matched the local observation
 - `threat.indicator.matched.type` - this identifies the indicator type that matched the local observation
 
-#### Possible investigation steps:
+#### Possible investigation steps
+
 - Investigation should be validated and reviewed based on the data (file hash, registry path, URL, imphash) that was matched and by viewing the source of that activity.
 - Consider the history of the indicator that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.
 - Consider the user and their role within the company: is this something related to their job or work function?
 
 ### False Positive Analysis
+
 - For any matches found, it's important to consider the initial release date of that indicator. Threat intelligence can be a great tool for augmenting existing security processes, while at the same time it should be understood that threat intelligence can represent a specific set of activity observed at a point in time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.
 - Adversaries often use legitimate tools as network administrators such as `PsExec` or `AdFind`; these tools often find their way into indicator lists creating the potential for false positives.
 - It's possible after large and publicly written campaigns, curious employees might end up going directly to attacker infrastructure and triggering these rules.
 
 ### Response and Remediation
+
 - If suspicious or malicious behavior is observed, take immediate action to isolate activity to prevent further post-compromise behavior.
 - One example of a response if a machine matched a command and control IP address would be to add an entry to a network device such as a firewall or proxy appliance to prevent any outbound activity from leaving that machine.
 - Another example of a response with a malicious file hash match would involve validating if the file was properly quarantined, reviewing current running processes for any abnormal activity, and investigating for any other follow-up actions such as persistence or lateral movement.
+
+## Setup
+
+This rule was deprecated in the 8.8 version of the Elastic Stack for performance reasons and to avoid alert duplication due to the indicators expiration new feature. Users using 8.8+ versions should disable this rule and enable indicator-based rules instead:
+
+* Threat Intel IP Address Indicator Match - 0c41e478-5263-4c69-8f9e-7dfd2c22da64
+* Threat Intel Hash Indicator Match - aab184d3-72b3-4639-b242-6597c99d8bca
+* Threat Intel Windows Registry Indicator Match - a61809f3-fb5b-465c-8bff-23a8a068ac60
+* Threat Intel URL Indicator Match - f3e22c8b-ea47-45d1-b502-b57b6de950b3
 """
 references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"]
 risk_score = 99
@@ -54,7 +68,7 @@ timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
 timeline_title = "Generic Threat Match Timeline"
 type = "threat_match"
 
-threat_index = [ "logs-ti_*"]
+threat_index = ["logs-ti_*"]
 threat_indicator_path = "threat.indicator"
 threat_language = "kuery"
 

rules/cross-platform/threat_intel_indicator_match_address.toml

@@ -0,0 +1,99 @@
+[metadata]
+creation_date = "2023/05/22"
+maturity = "production"
+updated_date = "2023/06/27"
+min_stack_comments = """
+Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
+general rules.
+"""
+min_stack_version = "8.5.0"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match
+against a network event.
+"""
+from = "now-65m"
+index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
+interval = "1h"
+language = "kuery"
+license = "Elastic License v2"
+name = "Threat Intel IP Address Indicator Match"
+references = [
+    "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
+    "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
+    "https://www.elastic.co/security/tip"
+]
+risk_score = 99
+rule_id = "0c41e478-5263-4c69-8f9e-7dfd2c22da64"
+severity = "critical"
+tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"]
+timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
+timeline_title = "Generic Threat Match Timeline"
+type = "threat_match"
+
+threat_index = ["filebeat-*", "logs-ti_*"]
+threat_indicator_path = "threat.indicator"
+threat_language = "kuery"
+
+threat_query = '''
+@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and
+  not labels.is_ioc_transform_source:"true"
+'''
+
+query = """
+source.ip:* or destination.ip:*
+"""
+
+
+[[rule.threat_filters]]
+[rule.threat_filters."$state"]
+store = "appState"
+[rule.threat_filters.meta]
+negate = false
+disabled = false
+type = "phrase"
+key = "event.category"
+[rule.threat_filters.meta.params]
+query = "threat"
+[rule.threat_filters.query.match_phrase]
+"event.category" = "threat"
+
+[[rule.threat_filters]]
+[rule.threat_filters."$state"]
+store = "appState"
+[rule.threat_filters.meta]
+negate = false
+disabled = false
+type = "phrase"
+key = "event.kind"
+[rule.threat_filters.meta.params]
+query = "enrichment"
+[rule.threat_filters.query.match_phrase]
+"event.kind" = "enrichment"
+
+[[rule.threat_filters]]
+[rule.threat_filters."$state"]
+store = "appState"
+[rule.threat_filters.meta]
+negate = false
+disabled = false
+type = "phrase"
+key = "event.type"
+[rule.threat_filters.meta.params]
+query = "indicator"
+[rule.threat_filters.query.match_phrase]
+"event.type" = "indicator"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "source.ip"
+type = "mapping"
+value = "threat.indicator.ip"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "destination.ip"
+type = "mapping"
+value = "threat.indicator.ip"

rules/cross-platform/threat_intel_indicator_match_hash.toml

@@ -0,0 +1,160 @@
+[metadata]
+creation_date = "2023/05/22"
+maturity = "production"
+updated_date = "2023/06/27"
+min_stack_comments = """
+Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
+general rules.
+"""
+min_stack_version = "8.5.0"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an
+event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.
+"""
+from = "now-65m"
+index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"]
+interval = "1h"
+language = "kuery"
+license = "Elastic License v2"
+name = "Threat Intel Hash Indicator Match"
+references = [
+    "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
+    "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
+    "https://www.elastic.co/security/tip"
+]
+risk_score = 99
+rule_id = "aab184d3-72b3-4639-b242-6597c99d8bca"
+severity = "critical"
+tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"]
+timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
+timeline_title = "Generic Threat Match Timeline"
+type = "threat_match"
+
+threat_index = ["filebeat-*", "logs-ti_*"]
+threat_indicator_path = "threat.indicator"
+threat_language = "kuery"
+
+threat_query = '''
+@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and
+  (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and 
+  not labels.is_ioc_transform_source:"true"
+'''
+
+query = """
+file.hash.*:* or file.pe.imphash:*  or process.hash.*:* or process.pe.imphash:* or dll.hash.*:* or dll.pe.imphash:* 
+"""
+
+
+[[rule.threat_filters]]
+[rule.threat_filters."$state"]
+store = "appState"
+[rule.threat_filters.meta]
+negate = false
+disabled = false
+type = "phrase"
+key = "event.category"
+[rule.threat_filters.meta.params]
+query = "threat"
+[rule.threat_filters.query.match_phrase]
+"event.category" = "threat"
+
+[[rule.threat_filters]]
+[rule.threat_filters."$state"]
+store = "appState"
+[rule.threat_filters.meta]
+negate = false
+disabled = false
+type = "phrase"
+key = "event.kind"
+[rule.threat_filters.meta.params]
+query = "enrichment"
+[rule.threat_filters.query.match_phrase]
+"event.kind" = "enrichment"
+
+[[rule.threat_filters]]
+[rule.threat_filters."$state"]
+store = "appState"
+[rule.threat_filters.meta]
+negate = false
+disabled = false
+type = "phrase"
+key = "event.type"
+[rule.threat_filters.meta.params]
+query = "indicator"
+[rule.threat_filters.query.match_phrase]
+"event.type" = "indicator"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "file.hash.md5"
+type = "mapping"
+value = "threat.indicator.file.hash.md5"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "file.hash.sha1"
+type = "mapping"
+value = "threat.indicator.file.hash.sha1"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "file.hash.sha256"
+type = "mapping"
+value = "threat.indicator.file.hash.sha256"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "file.pe.imphash"
+type = "mapping"
+value = "threat.indicator.file.pe.imphash"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "dll.hash.md5"
+type = "mapping"
+value = "threat.indicator.file.hash.md5"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "dll.hash.sha1"
+type = "mapping"
+value = "threat.indicator.file.hash.sha1"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "dll.hash.sha256"
+type = "mapping"
+value = "threat.indicator.file.hash.sha256"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "process.hash.md5"
+type = "mapping"
+value = "threat.indicator.file.hash.md5"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "process.hash.sha1"
+type = "mapping"
+value = "threat.indicator.file.hash.sha1"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "process.hash.sha256"
+type = "mapping"
+value = "threat.indicator.file.hash.sha256"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "dll.pe.imphash"
+type = "mapping"
+value = "threat.indicator.file.pe.imphash"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "process.pe.imphash"
+type = "mapping"
+value = "threat.indicator.file.pe.imphash"

rules/cross-platform/threat_intel_indicator_match_registry.toml

@@ -0,0 +1,93 @@
+[metadata]
+creation_date = "2023/05/22"
+maturity = "production"
+updated_date = "2023/06/27"
+min_stack_comments = """
+Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
+general rules.
+"""
+min_stack_version = "8.5.0"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a
+match against an event that contains registry data.
+"""
+from = "now-65m"
+index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"]
+interval = "1h"
+language = "kuery"
+license = "Elastic License v2"
+name = "Threat Intel Windows Registry Indicator Match"
+references = [
+    "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
+    "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
+    "https://www.elastic.co/security/tip"
+]
+risk_score = 99
+rule_id = "a61809f3-fb5b-465c-8bff-23a8a068ac60"
+severity = "critical"
+tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"]
+timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
+timeline_title = "Generic Threat Match Timeline"
+type = "threat_match"
+
+threat_index = ["filebeat-*", "logs-ti_*"]
+threat_indicator_path = "threat.indicator"
+threat_language = "kuery"
+
+threat_query = '''
+@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and
+  not labels.is_ioc_transform_source:"true"
+'''
+
+query = """
+registry.path:*
+"""
+
+
+[[rule.threat_filters]]
+[rule.threat_filters."$state"]
+store = "appState"
+[rule.threat_filters.meta]
+negate = false
+disabled = false
+type = "phrase"
+key = "event.category"
+[rule.threat_filters.meta.params]
+query = "threat"
+[rule.threat_filters.query.match_phrase]
+"event.category" = "threat"
+
+[[rule.threat_filters]]
+[rule.threat_filters."$state"]
+store = "appState"
+[rule.threat_filters.meta]
+negate = false
+disabled = false
+type = "phrase"
+key = "event.kind"
+[rule.threat_filters.meta.params]
+query = "enrichment"
+[rule.threat_filters.query.match_phrase]
+"event.kind" = "enrichment"
+
+[[rule.threat_filters]]
+[rule.threat_filters."$state"]
+store = "appState"
+[rule.threat_filters.meta]
+negate = false
+disabled = false
+type = "phrase"
+key = "event.type"
+[rule.threat_filters.meta.params]
+query = "indicator"
+[rule.threat_filters.query.match_phrase]
+"event.type" = "indicator"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "registry.path"
+type = "mapping"
+value = "threat.indicator.registry.path"

rules/cross-platform/threat_intel_indicator_match_url.toml

@@ -0,0 +1,99 @@
+[metadata]
+creation_date = "2023/05/22"
+maturity = "production"
+updated_date = "2023/06/27"
+min_stack_comments = """
+Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
+general rules.
+"""
+min_stack_version = "8.5.0"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an
+event that contains URL data, like DNS events, network logs, etc.
+"""
+from = "now-65m"
+index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
+interval = "1h"
+language = "kuery"
+license = "Elastic License v2"
+name = "Threat Intel URL Indicator Match"
+references = [
+    "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",
+    "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html",
+    "https://www.elastic.co/security/tip"
+]
+risk_score = 99
+rule_id = "f3e22c8b-ea47-45d1-b502-b57b6de950b3"
+severity = "critical"
+tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"]
+timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
+timeline_title = "Generic Threat Match Timeline"
+type = "threat_match"
+
+threat_index = ["filebeat-*", "logs-ti_*"]
+threat_indicator_path = "threat.indicator"
+threat_language = "kuery"
+
+threat_query = '''
+@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and
+  (threat.indicator.url.full:* or threat.indicator.url.domain:*) and not labels.is_ioc_transform_source:"true"
+'''
+
+query = """
+url.full:* or url.domain:*
+"""
+
+
+[[rule.threat_filters]]
+[rule.threat_filters."$state"]
+store = "appState"
+[rule.threat_filters.meta]
+negate = false
+disabled = false
+type = "phrase"
+key = "event.category"
+[rule.threat_filters.meta.params]
+query = "threat"
+[rule.threat_filters.query.match_phrase]
+"event.category" = "threat"
+
+[[rule.threat_filters]]
+[rule.threat_filters."$state"]
+store = "appState"
+[rule.threat_filters.meta]
+negate = false
+disabled = false
+type = "phrase"
+key = "event.kind"
+[rule.threat_filters.meta.params]
+query = "enrichment"
+[rule.threat_filters.query.match_phrase]
+"event.kind" = "enrichment"
+
+[[rule.threat_filters]]
+[rule.threat_filters."$state"]
+store = "appState"
+[rule.threat_filters.meta]
+negate = false
+disabled = false
+type = "phrase"
+key = "event.type"
+[rule.threat_filters.meta.params]
+query = "indicator"
+[rule.threat_filters.query.match_phrase]
+"event.type" = "indicator"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "url.full"
+type = "mapping"
+value = "threat.indicator.url.full"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "url.domain"
+type = "mapping"
+value = "threat.indicator.url.domain"

tests/test_all_rules.py

@@ -618,7 +618,11 @@ class TestRuleMetadata(BaseRuleTest):
                         "eb079c62-4481-4d6e-9643-3ca499df7aaa",
                         "699e9fdb-b77c-4c01-995c-1c15019b9c43",
                         "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0",
-                        "a198fbbd-9413-45ec-a269-47ae4ccf59ce"
+                        "a198fbbd-9413-45ec-a269-47ae4ccf59ce",
+                        "0c41e478-5263-4c69-8f9e-7dfd2c22da64",
+                        "aab184d3-72b3-4639-b242-6597c99d8bca",
+                        "a61809f3-fb5b-465c-8bff-23a8a068ac60",
+                        "f3e22c8b-ea47-45d1-b502-b57b6de950b3"
                     ]
                     if any([re.search("|".join(non_dataset_packages), i, re.IGNORECASE)
                             for i in rule.contents.data.index]):