From 97e42d01d8c84bca52acba07b4a978f2cff22484 Mon Sep 17 00:00:00 2001
From: TotalKnob <TotalKnob@users.noreply.github.com>
Date: Fri, 26 Aug 2022 18:11:22 +0200
Subject: [PATCH] [Rule Tuning] SUNBURST Command and Control Activity (#2232)

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
---
 ...mand_and_control_sunburst_c2_activity_detected.toml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml
index 563ba79bd..4e6db7077 100644
--- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml
+++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml
@@ -94,9 +94,13 @@ network where event.type == "protocol" and network.protocol == "http" and
                   "SolarWinds.BusinessLayerHostx64.exe",
                   "SolarWinds.Collector.Service.exe",
                   "SolarwindsDiagnostics.exe") and
-  (http.request.body.content : "*/swip/Upload.ashx*" and http.request.body.content : ("POST*", "PUT*")) or
-  (http.request.body.content : ("*/swip/SystemDescription*", "*/swip/Events*") and http.request.body.content : ("GET*", "HEAD*")) and
-  not http.request.body.content : "*solarwinds.com*"
+  (
+    (
+      (http.request.body.content : "*/swip/Upload.ashx*" and http.request.body.content : ("POST*", "PUT*")) or
+      (http.request.body.content : ("*/swip/SystemDescription*", "*/swip/Events*") and http.request.body.content : ("GET*", "HEAD*"))
+    ) and
+    not http.request.body.content : "*solarwinds.com*"
+  )
 '''