Update proxy_ua_bitsadmin_susp_tld.yml

2024-11-06 09:25:17 +00:00 · 2020-10-15 23:26:08 -03:00 · 2020-10-15 23:26:08 -03:00 · 229cda76c3
commit 229cda76c3
parent a1d3c8c3ff
1 changed files with 7 additions and 7 deletions
--- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
+++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml
@ -9,13 +9,13 @@ logsource:
    category: proxy
 detection:
    selection:
-        c-useragent:
-            - 'Microsoft BITS/*'
+        c-useragent|startswith:
+            - 'Microsoft BITS/'
    falsepositives:
-        r-dns:
-            - '*.com' 
-            - '*.net' 
-            - '*.org' 
+        r-dns|endswith:
+            - '.com' 
+            - '.net' 
+            - '.org' 
    condition: selection and not falsepositives
 fields:
    - ClientIP
@ -30,4 +30,4 @@ tags:
    - attack.defense_evasion
    - attack.persistence
    - attack.t1197
-    - attack.s0190
+    - attack.s0190