| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748 |
- <!--
- SOC Proposal Rules — Appendix A1: DNS / Firewall IOC
- Simulation profile rule IDs : 100301-100302
- Production profile rule IDs : 110301-110302
- Severity mapping:
- Medium → level 8
- Decoded fields used (soc-mvp-dns):
- status = event_type (ioc_dns_traffic | ioc_domain_match)
- srcip = source IP
- url = queried domain
- action = blocked | alert
- -->
- <group name="soc_mvp,appendix_a,a1,ioc,dns,">
- <!-- ── Simulation profile (usecase_id markers present) ── -->
- <!-- ── Production profile (field-based matching) ── -->
- <rule id="110301" level="8">
- <if_sid>100250</if_sid>
- <match>event_type=ioc_dns_traffic</match>
- <description>A1-01 [PROD] DNS query to malicious domain (IOC traffic indicator)</description>
- <group>soc_prod,a1,ioc,</group>
- <mitre>
- <id>T1071.004</id>
- </mitre>
- </rule>
- <rule id="110302" level="8">
- <if_sid>100250</if_sid>
- <match>event_type=ioc_domain_match</match>
- <description>A1-02 [PROD] DNS IOC domain match from threat intelligence feed</description>
- <group>soc_prod,a1,ioc,</group>
- <mitre>
- <id>T1568</id>
- </mitre>
- </rule>
- <!-- ── Production normalized key=value path (soc-mvp production profile) ── -->
- </group>
|
