From 5efdde375ca46ec54ea7732c08224a4132e249ff Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 24 Jul 2023 13:41:16 -0300 Subject: [PATCH 1/2] [Rule Tuning] Tune Threat Indicator Match Rules --- .../threat_intel_indicator_match_hash.toml | 10 ++------ .../threat_intel_indicator_match_url.toml | 24 +++---------------- 2 files changed, 5 insertions(+), 29 deletions(-) diff --git a/rules/cross-platform/threat_intel_indicator_match_hash.toml b/rules/cross-platform/threat_intel_indicator_match_hash.toml index a4c25e45124..75f135c0acc 100644 --- a/rules/cross-platform/threat_intel_indicator_match_hash.toml +++ b/rules/cross-platform/threat_intel_indicator_match_hash.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2023/06/27" +updated_date = "2023/07/24" min_stack_comments = """ Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match general rules. @@ -44,7 +44,7 @@ threat_query = ''' ''' query = """ -file.hash.*:* or file.pe.imphash:* or process.hash.*:* or process.pe.imphash:* or dll.hash.*:* or dll.pe.imphash:* +file.hash.*:* or file.pe.imphash:* or process.hash.*:* or process.pe.imphash:* or dll.hash.*:* """ @@ -147,12 +147,6 @@ field = "process.hash.sha256" type = "mapping" value = "threat.indicator.file.hash.sha256" -[[rule.threat_mapping]] -[[rule.threat_mapping.entries]] -field = "dll.pe.imphash" -type = "mapping" -value = "threat.indicator.file.pe.imphash" - [[rule.threat_mapping]] [[rule.threat_mapping.entries]] field = "process.pe.imphash" diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml index 749b24a85b7..b3e8444e331 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/cross-platform/threat_intel_indicator_match_url.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2023/07/03" +updated_date = "2023/07/24" min_stack_comments = """ Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match general rules. @@ -39,11 +39,11 @@ threat_language = "kuery" threat_query = ''' @timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and - (threat.indicator.url.full:* or threat.indicator.url.domain:*) and not labels.is_ioc_transform_source:"true" + threat.indicator.url.full:* and not labels.is_ioc_transform_source:"true" ''' query = """ -url.full:* or url.domain:* +url.full:* """ @@ -91,21 +91,3 @@ query = "indicator" field = "url.full" type = "mapping" value = "threat.indicator.url.full" - -[[rule.threat_mapping]] -[[rule.threat_mapping.entries]] -field = "url.domain" -type = "mapping" -value = "threat.indicator.url.domain" - -[[rule.threat_mapping]] -[[rule.threat_mapping.entries]] -field = "source.domain" -type = "mapping" -value = "threat.indicator.url.domain" - -[[rule.threat_mapping]] -[[rule.threat_mapping.entries]] -field = "destination.domain" -type = "mapping" -value = "threat.indicator.url.domain" From 331a7a8a6c59604cc7a4ab41ccce946f3fa42c2c Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 24 Jul 2023 14:09:33 -0300 Subject: [PATCH 2/2] Update threat_intel_indicator_match_url.toml --- rules/cross-platform/threat_intel_indicator_match_url.toml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml index b3e8444e331..c21181cf9e8 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/cross-platform/threat_intel_indicator_match_url.toml @@ -91,3 +91,9 @@ query = "indicator" field = "url.full" type = "mapping" value = "threat.indicator.url.full" + +[[rule.threat_mapping]] +[[rule.threat_mapping.entries]] +field = "url.original" +type = "mapping" +value = "threat.indicator.url.original"