From d1491c3ce1cf51350fcaf7f45ec63eac7f17495b Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 18 Jul 2023 20:21:15 -0300
Subject: [PATCH] [Rule Tuning] Threat Intel URL Indicator Match (#2902)

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---
 .../threat_intel_indicator_match_url.toml          | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml
index f3c38d4e5..749b24a85 100644
--- a/rules/cross-platform/threat_intel_indicator_match_url.toml
+++ b/rules/cross-platform/threat_intel_indicator_match_url.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2023/05/22"
 maturity = "production"
-updated_date = "2023/06/27"
+updated_date = "2023/07/03"
 min_stack_comments = """
 Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match
 general rules.
@@ -97,3 +97,15 @@ value = "threat.indicator.url.full"
 field = "url.domain"
 type = "mapping"
 value = "threat.indicator.url.domain"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "source.domain"
+type = "mapping"
+value = "threat.indicator.url.domain"
+
+[[rule.threat_mapping]]
+[[rule.threat_mapping.entries]]
+field = "destination.domain"
+type = "mapping"
+value = "threat.indicator.url.domain"