diff --git a/rules/cross-platform/threat_intel_indicator_match_hash.toml b/rules/cross-platform/threat_intel_indicator_match_hash.toml index a4c25e45124..75f135c0acc 100644 --- a/rules/cross-platform/threat_intel_indicator_match_hash.toml +++ b/rules/cross-platform/threat_intel_indicator_match_hash.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2023/06/27" +updated_date = "2023/07/24" min_stack_comments = """ Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match general rules. @@ -44,7 +44,7 @@ threat_query = ''' ''' query = """ -file.hash.*:* or file.pe.imphash:* or process.hash.*:* or process.pe.imphash:* or dll.hash.*:* or dll.pe.imphash:* +file.hash.*:* or file.pe.imphash:* or process.hash.*:* or process.pe.imphash:* or dll.hash.*:* """ @@ -147,12 +147,6 @@ field = "process.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" -[[rule.threat_mapping]] -[[rule.threat_mapping.entries]] -field = "dll.pe.imphash" -type = "mapping" -value = "threat.indicator.file.pe.imphash" - [[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "process.pe.imphash" diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml index 749b24a85b7..c21181cf9e8 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/cross-platform/threat_intel_indicator_match_url.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2023/07/03" +updated_date = "2023/07/24" min_stack_comments = """ Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match general rules. @@ -39,11 +39,11 @@ threat_language = "kuery" threat_query = ''' @timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and - (threat.indicator.url.full:* or threat.indicator.url.domain:*) and not labels.is_ioc_transform_source:"true" + threat.indicator.url.full:* and not labels.is_ioc_transform_source:"true" ''' query = """ -url.full:* or url.domain:* +url.full:* """ @@ -94,18 +94,6 @@ value = "threat.indicator.url.full" [[rule.threat_mapping]] [[rule.threat_mapping.entries]] -field = "url.domain" +field = "url.original" type = "mapping" -value = "threat.indicator.url.domain" - -[[rule.threat_mapping]] -[[rule.threat_mapping.entries]] -field = "source.domain" -type = "mapping" -value = "threat.indicator.url.domain" - -[[rule.threat_mapping]] -[[rule.threat_mapping.entries]] -field = "destination.domain" -type = "mapping" -value = "threat.indicator.url.domain" +value = "threat.indicator.url.original"