forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rule_template_typosquatting_domain.json
47 lines (47 loc) · 2.2 KB
/
rule_template_typosquatting_domain.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
{
"author": ["THIS WILL BE POPULATED BY create-dnstwist-index COMMAND"],
"description": "This rule is triggered when a DNS request is made for a domain in the list of typosquatting domains generated by\ndnstwist. Adversaries may register homonym or homoglyph domains for the organization that they're targeting before\nsending a phishing lure to a user in an attempt to infect their endpoint with malware or steal credentials.\n",
"from": "now-10m",
"index": [
"packetbeat-*",
"winlogbeat-*"
],
"interval": "9m",
"language": "kuery",
"license": "Elastic License v2",
"name": "DNS Request for Typosquatting Domain",
"note": "## Config\n\n- Packetbeat or Winlogbeat must be configured to log DNS request events to be compatible with this rule.\n\n\n## Triage and Analysis\n\n- Determine the reason that the DNS request was made by the affected endpoint. For example, did the user visit the domain\nafter receiving a phishing email or did they mistype one of the organization's registered domains?\n- Take appropriate security measures when investigating the domain in question, as it may host malware or an attacker\nmay be monitoring for potential victims visiting the domain. For example, Use open source intelligence such as the\nWHOIS domain database to obtain information about the domain or interact with it using a malware sandbox service that\nis segmented from any of your production systems.\n",
"query": "dns.question.registered_domain:*\n",
"references": [],
"risk_score": 73,
"rule_id": "THIS WILL BE POPULATED BY create-dnstwist-index COMMAND",
"severity": "high",
"tags": [
"Elastic",
"Network",
"Windows",
"Continuous Monitoring",
"SecOps",
"Monitoring"
],
"threat_index": [
"dnstwist-*"
],
"threat_indicator_path": "",
"threat_language": "kuery",
"threat_mapping": [
{
"entries": [
{
"field": "dns.question.registered_domain",
"type": "mapping",
"value": "dns.question.registered_domain"
}
]
}
],
"threat_query": "dns.question.registered_domain:*",
"timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e",
"timeline_title": "Generic Threat Match Timeline",
"type": "threat_match"
}