Hello,
I'm currently developing a custom detection rule and I'm looking to incorporate MANDIANT_ACTIVE_BREACH_IOC data into it.
I would appreciate any guidance or best practices on how to effectively use this data within my rules. Specifically, how can I leverage the attributes associated with MANDIANT_ACTIVE_BREACH_IOC for domains and how use that to enhance threat detection? Any examples or experiences would be greatly appreciated.
Right now I have something like this rule for test :
rule test_rule {
meta:
author = "Test"
description = "Mandiant IOC Feed in rule"
yara_version = "YL2.0"
events:
$e.metadata.event_type = "NETWORK_CONNECTION"
$e.target.hostname = $ioc
$context_graph.graph.entity.hostname = $ioc
$context_graph.graph.metadata.product_name = "MANDIANT_ACTIVE_BREACH_IOC"
$context_graph.graph.metadata.entity_type = "DOMAIN_NAME"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
match:
$ioc over 2h
outcome:
$target_hostname = array_distinct($ioc)
condition:
$e and $context_graph
}
Getting no results on testing this detection rule but for the same duration I can see curated ATI rule getting triggered for some domains.
