Strona główna Odkrywaj Pomoc
Zaloguj się
tum
/
soc
Obserwuj 1
Polub 0
Forkuj 0
Kod Problemy 0 Oczekujące zmiany 0 Commity 45 Wydania 0 Wiki

Brak opisu

Drzewo: 012e088454
Gałęzie Tagi
soc
/
wazuh-docker
/
single-node
/
config
/
wazuh_cluster
/
rules
/
soc-ioc-cdb-...

soc-ioc-cdb-rules.xml 2.0KB
Historia Czysty

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 
  1. <!--
    2. 

  2.   SOC IOC CDB Lookup Rules
    3. 

  3.   ========================
    4. 

  4.   These rules fire when a network field matches an entry in the threat-intel CDB lists
    5. 

  5.   maintained by soc-integrator (/wazuh/ioc-lists/refresh).
    6. 

  6. 

  7.   Lists (compiled by wazuh-analysisd at startup/restart):
    8. 

  8.     etc/lists/malicious-ioc/malicious-ip      — known-bad IPs  (feodo, threatfox, local hits)
    9. 

  9.     etc/lists/malicious-ioc/malicious-domains — known-bad domains (threatfox, urlhaus, local hits)
    10. 

  10.     etc/lists/malicious-ioc/malware-hashes    — malware SHA256 hashes (bazaar, threatfox, local hits)
    11. 

  11. 

  12.   Rule IDs: 110600–110605
    13. 

  13.   Level    : 10  (above log_alert_level=3, below critical=12)
    14. 

  14. -->
    15. 

  15. 

  16. <group name="soc_mvp,threat_intel,ioc,cdb,">
    17. 

  17. 

  18.   <!-- ── IP: FortiGate source IP matched threat-intel list ── -->
    19. 

  19.   <rule id="110600" level="10">
    20. 

  20.     <if_sid>81603</if_sid>
    21. 

  21.     <list field="srcip" lookup="match_key">etc/lists/malicious-ioc/malicious-ip</list>
    22. 

  22.     <description>CDB: FortiGate source IP matched threat-intel list</description>
    23. 

  23.     <group>soc_prod,a2,ioc,threat_intel,cdb,</group>
    24. 

  24.     <mitre>
    25. 

  25.       <id>T1071</id>
    26. 

  26.     </mitre>
    27. 

  27.   </rule>
    28. 

  28. 

  29.   <!-- ── IP: FortiGate destination IP matched threat-intel list ── -->
    30. 

  30.   <rule id="110601" level="10">
    31. 

  31.     <if_sid>81603</if_sid>
    32. 

  32.     <list field="dstip" lookup="match_key">etc/lists/malicious-ioc/malicious-ip</list>
    33. 

  33.     <description>CDB: FortiGate destination IP matched threat-intel list</description>
    34. 

  34.     <group>soc_prod,a2,ioc,threat_intel,cdb,</group>
    35. 

  35.     <mitre>
    36. 

  36.       <id>T1071</id>
    37. 

  37.     </mitre>
    38. 

  38.   </rule>
    39. 

  39. 

  40.   <!-- ── Domain: DNS query matched malicious-domains list ── -->
    41. 

  41.   <!-- Parent: 100250 (soc-prod-dns decoder, extracts url from query= field) -->
    42. 

  42.   <rule id="110602" level="10">
    43. 

  43.     <if_sid>100250</if_sid>
    44. 

  44.     <list field="url" lookup="match_key">etc/lists/malicious-ioc/malicious-domains</list>
    45. 

  45.     <description>CDB: DNS query matched malicious-domains threat-intel list</description>
    46. 

  46.     <group>soc_prod,a1,ioc,threat_intel,cdb,dns,</group>
    47. 

  47.     <mitre>
    48. 

  48.       <id>T1071.004</id>
    49. 

  49.     </mitre>
    50. 

  50.   </rule>
    51. 

  51. 

  52. </group>
    53. 

  53.