rule critical_ioc_detected_ip {
meta:
author = "Anurag Singh"
description = "Rule to check for any traffic coming from suspicious IPs related to known IOCs."
reference_sets = "kasperskyti"
events:
$e.metadata.vendor_name = "Check Point" or $e.metadata.vendor_name = "Fortinet"
$e.metadata.product_name = "VPN-1 & FireWall-1" or $e.metadata.product_name = "Fortigate"
$e.metadata.event_type = "NETWORK_CONNECTION" or $e.metadata.event_type = "NETWORK_HTTP"
$e.principal.ip = $match_ip
$e.target.ip = $match_ip
$kasperskyti.principal.ip[0] = $match_ip
$kasperskyti.metadata.product_name = "IP"
$ioc_severity = $kasperskyti.metadata.product_event_type
match:
$match_ip over 10m
condition:
$e and $kasperskyti
}
LinkedIn
Twitter
