Threat Intel Filebeat Module Indicator Match

edit

This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations.

Rule type: threat_match

Rule indices:

  • auditbeat-*
  • endgame-*
  • filebeat-*
  • logs-*
  • packetbeat-*
  • winlogbeat-*

Severity: critical

Risk score: 99

Runs every: 9 minutes

Searches indices from: now-10m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Windows
  • Elastic Endgame
  • Network
  • Continuous Monitoring
  • SecOps
  • Monitoring

Version: 1

Added (Elastic Stack release): 7.13.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

If an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.

  • threatintel.indicator.matched.atomic - this identifies the atomic indicator that matched the local observation
  • threatintel.indicator.matched.field - this identifies the indicator field that matched the local observation
  • threatintel.indicator.matched.type - this identifies the indicator type that matched the local observation

Rule query

edit
file.hash.*:* or file.pe.imphash:* or source.ip:* or destination.ip:*
or url.full:* or registry.path:*