security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e897a6760429ea46da15ebbca1609b62fd37fee9
sigma-rules/rules/cross-platform/threat_intel_module_match.toml
T
Justin Ibarra 6ef5c53b0c Cleanup note field in rules (#1194) 
* standardize usage of note field
2021-05-10 13:40:56 -08:00

148 lines
4.1 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/04/21"
maturity = "production"
updated_date = "2021/05/10"
[rule]
author = ["Elastic"]
description = """
This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations.
"""
from = "now-10m"
index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
interval = "9m"
language = "kuery"
license = "Elastic License v2"
name = "Threat Intel Filebeat Module Indicator Match"
note = """## Triage and Analysis
If an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.
- `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation
- `threatintel.indicator.matched.field` - this identifies the indicator field that matched the local observation
- `threatintel.indicator.matched.type` - this identifies the indicator type that matched the local observation
"""
references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html"]
risk_score = 99
rule_id = "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9"
severity = "critical"
tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring"]
timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
timeline_title = "Generic Threat Match Timeline"
type = "threat_match"
threat_index = [ "filebeat-*"]
threat_indicator_path = ""
threat_language = "kuery"
threat_query = """
event.module:threatintel and
(threatintel.indicator.file.hash.*:* or threatintel.indicator.file.pe.imphash:* or threatintel.indicator.ip:* or
threatintel.indicator.registry.path:* or threatintel.indicator.url.full:*)
"""
query = """
file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:* or url.full:* or registry.path:*
"""
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.module"
[rule.threat_filters.meta.params]
query = "threatintel"
[rule.threat_filters.query.match_phrase]
"event.module" = "threatintel"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.category"
[rule.threat_filters.meta.params]
query = "threat"
[rule.threat_filters.query.match_phrase]
"event.category" = "threat"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.kind"
[rule.threat_filters.meta.params]
query = "enrichment"
[rule.threat_filters.query.match_phrase]
"event.kind" = "enrichment"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.type"
[rule.threat_filters.meta.params]
query = "indicator"
[rule.threat_filters.query.match_phrase]
"event.type" = "indicator"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.md5"
type = "mapping"
value = "threatintel.indicator.file.hash.md5"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.sha1"
type = "mapping"
value = "threatintel.indicator.file.hash.sha1"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.sha256"
type = "mapping"
value = "threatintel.indicator.file.hash.sha256"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.pe.imphash"
type = "mapping"
value = "threatintel.indicator.file.pe.imphash"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "source.ip"
type = "mapping"
value = "threatintel.indicator.ip"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "destination.ip"
type = "mapping"
value = "threatintel.indicator.ip"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "url.full"
type = "mapping"
value = "threatintel.indicator.url.full"
[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "registry.path"
type = "mapping"
value = "threatintel.indicator.registry.path"
Reference in New Issue View Git Blame Copy Permalink