IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Threat Intel Windows Registry Indicator Match Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match »
Elastic Docs Elastic Security Solution [8.9] Downloadable rule update v8.9.1

Threat Intel URL Indicator Match

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Threat Intel URL Indicator Match

edit

This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.

Rule type: threat_match

Rule indices:

  • auditbeat-*
  • endgame-*
  • filebeat-*
  • logs-*
  • packetbeat-*
  • winlogbeat-*

Severity: critical

Risk score: 99

Runs every: 1h

Searches indices from: now-65m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • OS: Windows
  • Data Source: Elastic Endgame
  • Rule Type: Indicator Match

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
url.full:* or url.domain:*
« Threat Intel Windows Registry Indicator Match Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match »