security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Threat Intel URL Indicator Match (#2902)

Browse Source 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2023-07-18 20:21:15 -03:00
committed by GitHub
parent f1ba092864
commit d1491c3ce1
1 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/threat_intel_indicator_match_url.toml
+13 -1
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2023/05/22"
maturity = "production"
updated_date = "2023/06/27"
updated_date = "2023/07/03"
min_stack_comments = """
Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
general rules.
@@ -97,3 +97,15 @@ value = "threat.indicator.url.full"
field = "url.domain"
type = "mapping"
value = "threat.indicator.url.domain"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "source.domain"
type = "mapping"
value = "threat.indicator.url.domain"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "destination.domain"
type = "mapping"
value = "threat.indicator.url.domain"