[Rule Tuning] Tune Threat Indicator Match Rules #2957
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
w0rk3r
requested review from
Aegrah,
DefSecSentinel,
brokensound77 and
terrancedejesus
|
Could we consider changing the URL Indicator rule to use both |
protectionsmachine
pushed a commit
that referenced
this pull request
Jul 26, 2023
* [Rule Tuning] Tune Threat Indicator Match Rules * Update threat_intel_indicator_match_url.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 0ff50ac)
protectionsmachine
pushed a commit
that referenced
this pull request
Jul 26, 2023
* [Rule Tuning] Tune Threat Indicator Match Rules * Update threat_intel_indicator_match_url.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 0ff50ac)
protectionsmachine
pushed a commit
that referenced
this pull request
Jul 26, 2023
* [Rule Tuning] Tune Threat Indicator Match Rules * Update threat_intel_indicator_match_url.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 0ff50ac)
protectionsmachine
pushed a commit
that referenced
this pull request
Jul 26, 2023
* [Rule Tuning] Tune Threat Indicator Match Rules * Update threat_intel_indicator_match_url.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 0ff50ac)
protectionsmachine
pushed a commit
that referenced
this pull request
Jul 26, 2023
* [Rule Tuning] Tune Threat Indicator Match Rules * Update threat_intel_indicator_match_url.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 0ff50ac)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues
Resolves #2954
Summary
domainfields on this rule, as it is more noisy than expected, as a lot of commonly used web services are included in threat intel fields. Such as Github, dropbox, discord, google drive, etc.dll.pe.imphash, as integrations such as abusech contain events with this field empty, which can match the target field in specific conditions in which it is not populated by Elastic Endpoint, generating thousands of unintended matches:Some other approaches considered:
I've looked at using QueryDSL as a filter in the Indicator index query but excluding indicators that don't populate certain fields will cause the other fields which contain the information to be excluded, causing FNs.
Other potential solutions to the problem:
As this matches a specific condition on the endpoint, we could add a filter that excludes the events which cause this, here is a working query that we could ship as a filter:
Query