Skip to content

Latest commit

 

History

History
42 lines (35 loc) · 1.63 KB

MATCH-S00666.md

File metadata and controls

42 lines (35 loc) · 1.63 KB

Rules: High Severity Intrusion Signature

Description

This rule looks for an intrusion product detecting a high severity intrusion signature sourcing from an internal IP.

Additional Details

Detail Value
Type Templated Match
Category Discovery
Apply Risk to Entities srcDevice_hostname, srcDevice_ip, user_username
Signal Name {{metadata_vendor}} {{metadata_product}} High Severity Intrusion Signature
Summary Expression High Severity Intrusion Signature detected: {{threat_name}} from IP: {{srcDevice_ip}}
Score/Severity Static: 3
Enabled by Default True
Prototype False
Tags _mitreAttackTactic:TA0007, _mitreAttackTechnique:T1046

Vendors and Products

Fields Used

Origin Field
Normalized Schema listMatches
Normalized Schema metadata_product
Normalized Schema metadata_vendor
Normalized Schema normalizedSeverity
Normalized Schema srcDevice_hostname
Normalized Schema srcDevice_ip
Normalized Schema srcDevice_ip_isInternal
Normalized Schema threat_ruleType
Normalized Schema user_username