From e9d7ddfa35678e642a79b01a58f7902cd5409852 Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Fri, 21 Jun 2024 00:47:06 +0530 Subject: [PATCH] [Rule Tuning]: Fix threat_index and filters in Rapid7 CVE rule (#3800) * Fix index and filters in Rapid7 CVE rule * change updated date --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> --- .../threat_intel_rapid7_threat_command.toml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/threat_intel/threat_intel_rapid7_threat_command.toml b/rules/threat_intel/threat_intel_rapid7_threat_command.toml index 85a6d0d45..fffdad302 100644 --- a/rules/threat_intel/threat_intel_rapid7_threat_command.toml +++ b/rules/threat_intel/threat_intel_rapid7_threat_command.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/29" integration = ["ti_rapid7_threat_command"] maturity = "production" -updated_date = "2024/06/12" +updated_date = "2024/06/20" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ tags = [ "Use Case: Asset Visibility", "Use Case: Continuous Monitoring", ] -threat_index = ["logs-ti_rapid7_threat_command_latest.ioc"] +threat_index = ["logs-ti_rapid7_threat_command_latest.vulnerability"] threat_indicator_path = "rapid7.tc.vulnerability" threat_language = "kuery" threat_query = """ @@ -90,16 +90,16 @@ vulnerability.id : * ''' -[[rule.threat_filters]] +[[rule.filters]] -[rule.threat_filters."$state"] +[rule.filters."$state"] store = "appState" -[rule.threat_filters.meta] +[rule.filters.meta] disabled = false key = "rapid7.tc.vulnerability.id" negate = true type = "exists" -[rule.threat_filters.query.exists] +[rule.filters.query.exists] field = "rapid7.tc.vulnerability.id" [[rule.threat_mapping]]