Attribute
|
Operator
|
Action
|
Examples
|
---|---|---|---|
Host Name
|
Contains/Does not
contain
|
Type a value
|
computer.example.com
|
IP address
|
Contains/Does not
contain
In range/Not in range
|
Type a value
Type a range
|
10.1.1.2
|
MAC address
|
In/Not in
|
Type a value
|
AA:AA:AA:AA:AA:AA
|
Network Group
|
In/Not in
|
Select one or more of the following:
|
|
Registered Services
|
In/Not in
|
Select one or more of the following:
|
|
Protocol
|
In/Not in
|
Select one or more of the following:
|
|
Transport Layer Security (TLS)
|
Over SSL/TLS/Not over
SSL/TLS
|
||
Direction
|
Equals
|
Select one of the following:
|
|
Status
|
Equals
|
Select one of the following:
|
|
Threat/Detection/Reference
|
Contains/Does not
contain/Equals
|
Type a value
|
VAN_RANSOMWARE.UMXX
|
Detection Rule ID
|
In/Not in
|
Type a value
|
707-710, 721-727
|
Correlation Rule ID (ICID)
|
In/Not in
|
Type a value
|
707-710, 721-727
|
Detection Type
|
In/Not in
|
Select one or more of the following:
|
|
Attack Phase
|
In/Not in
|
Select one or more of the following:
|
|
YARA Rule File/YARA Rule
|
Contains/Equals
|
Type a value
|
myYARAFile
|
Has YARA detection
|
|||
C&C List Source
|
In/Not in
|
Select one or more of the following:
|
|
C&C Callback Address
|
Contains/Does not
contain/Equals
|
Type a value
|
computer.example.com
|
C&C Risk Level
|
In/Not in
|
Select one or more of the following:
|
|
Virtual Analyzer Result
|
Has analysis results/No analysis
results
|
||
PCAP File
|
Has PCAP file/No PCAP
file
|
||
Is Targeted Attack Related
|
Yes/No
|
||
File Detection Type
|
In
|
Select one or more of the following:
|
|
File Name
|
Has file name/No file
name
|
||
Contains/Does not
contain
|
Type a value
|
myFile
|
|
File SHA-1
|
Has file SHA-1/No file
SHA-1
|
||
Contains/Does not
contain
|
Type a value
|
5bf1fd927dfb8679496a2e6cf00cbe50c1c87145
|
|
File SHA-256
|
Has file SHA-256/No file
SHA-256
|
||
Contains/Does not
contain
|
Type a value
|
8b7df143d91c716ecfa5fc1730022f6b421b05cedee8fd52b1fc65a96030ad52
|
|
IP Address/Domain/URL
|
Has network object/No network
object
|
||
Contains/Does not
contain/Equals
|
Type a value
|
10.1.1.2
|
|
Suspicious Object/Deny List Entity
|
Contains/Does not
contain/Equals
|
Type a value
|
5bf1fd927dfb8679496a2e6cf00cbe50c1c87145
|
Email Address
|
Has email address/No email
address
|
example@example.com
|
|
Contains/Does not
contain
|
Type a value
|
||
Message ID (Email)
|
Has message ID/No message
ID
|
||
Contains/Does not
contain
|
Type a value
|
950124.162336@example.com
|
|
Subject (Email)
|
Has subject/No subject
|
||
Contains/Does not
contain
|
Type a value
|
mySubject
|