-
Notifications
You must be signed in to change notification settings - Fork 2.3k
/
multiple_malicious.yaml
39 lines (38 loc) · 1.07 KB
/
multiple_malicious.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
id: multiple_malicious
version: 1
meta:
name: >
An IP, host, subnet or email address was considered malicious by
multiple sources
description: >
An IP, host, subnet or email address was considered malicious by
multiple sources.
Such cases have a high likelihood of being genuinely malicious and
should be urgently investigated. Even if the entity in question is
not compromised, it's likely to be blocked across parts of the
Internet due to its presence in these lists.
risk: HIGH
collections:
- collect:
- method: regex
field: type
value:
- MALICIOUS_*
- BLACKLIST_*
# Filter out all subnets
- method: regex
field: source.data
value: not .*/.*
# Filter out affiliates and Co-hosts
- method: regex
field: type
value:
- not .*COHOST.*
- not .*AFFILIATE.*
aggregation:
field: source.data
analysis:
- method: threshold
field: source.data
minimum: 2
headline: "Entity considered malicious by multiple sources: {source.data}"