Hi!
So we have GTI and a IOC Stream set up, and afaik its being ingested into SecOps and the entity graph.
I am trying to write detection rules that leverage the IOC stream to alerts. w
Take a malicious domain for example. If a UDM log in secops contains a hostname/domain that is a malicious IOC from GTI, i want to create an alert.
I tried vibe-coding the detection rule with gemini, but im afraid I don’t know enough about how the entity graph works.
How far off am I?
rule alert_on_gti_ioc_domain {
meta:
author = "Max"
description = "Oppdager nettverkstrafikk eller DNS-oppslag mot domener som finnes i Threat Intel (Entity Graph)."
severity = "High"
events:
(
$event.target.hostname = $domain or
$event.network.dns.questions.name = $domain
)
$domain != ""
$entity.graph.entity.hostname = $domain
$entity.graph.metadata.entity_type = "DOMAIN_NAME"
$entity.graph.metadata.source_type = "ENTITY_CONTEXT"
(
$entity.graph.metadata.threat.severity = "HIGH" or
$entity.graph.metadata.threat.severity = "CRITICAL"
)
match:
$domain over 1h
condition:
$event and $entity
}