[metadata] creation_date = "2021/04/21" maturity = "production" updated_date = "2021/05/10" [rule] author = ["Elastic"] description = """ This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations. """ from = "now-10m" index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] interval = "9m" language = "kuery" license = "Elastic License v2" name = "Threat Intel Filebeat Module Indicator Match" note = """## Triage and Analysis If an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched. - `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation - `threatintel.indicator.matched.field` - this identifies the indicator field that matched the local observation - `threatintel.indicator.matched.type` - this identifies the indicator type that matched the local observation """ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"] risk_score = 99 rule_id = "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9" severity = "critical" tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring"] timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" type = "threat_match" threat_index = [ "filebeat-*"] threat_indicator_path = "" threat_language = "kuery" threat_query = """ event.module:threatintel and (threatintel.indicator.file.hash.*:* or threatintel.indicator.file.pe.imphash:* or threatintel.indicator.ip:* or threatintel.indicator.registry.path:* or threatintel.indicator.url.full:*) """ query = """ file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:* """ [[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] negate = false disabled = false type = "phrase" key = "event.module" [rule.threat_filters.meta.params] query = "threatintel" [rule.threat_filters.query.match_phrase] "event.module" = "threatintel" [[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] negate = false disabled = false type = "phrase" key = "event.category" [rule.threat_filters.meta.params] query = "threat" [rule.threat_filters.query.match_phrase] "event.category" = "threat" [[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] negate = false disabled = false type = "phrase" key = "event.kind" [rule.threat_filters.meta.params] query = "enrichment" [rule.threat_filters.query.match_phrase] "event.kind" = "enrichment" [[rule.threat_filters]] [rule.threat_filters."$state"] store = "appState" [rule.threat_filters.meta] negate = false disabled = false type = "phrase" key = "event.type" [rule.threat_filters.meta.params] query = "indicator" [rule.threat_filters.query.match_phrase] "event.type" = "indicator" [[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "file.hash.md5" type = "mapping" value = "threatintel.indicator.file.hash.md5" [[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "file.hash.sha1" type = "mapping" value = "threatintel.indicator.file.hash.sha1" [[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "file.hash.sha256" type = "mapping" value = "threatintel.indicator.file.hash.sha256" [[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "file.pe.imphash" type = "mapping" value = "threatintel.indicator.file.pe.imphash" [[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "source.ip" type = "mapping" value = "threatintel.indicator.ip" [[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "destination.ip" type = "mapping" value = "threatintel.indicator.ip" [[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "url.full" type = "mapping" value = "threatintel.indicator.url.full" [[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "registry.path" type = "mapping" value = "threatintel.indicator.registry.path"