[ URLHaus threat intelligence ]: create a new rule

Hello again,

So I did as you and @hilo21 suggested, I used agrok filter, and separated the indicators.
The grok filter I used is:

    grok {
      match => { "url" => "%{URIPROTO:uri_proto}:\/\/(%{IP:destination.ip}:%{NUMBER:destination.port})?(%{URIHOST:domain})?\/%{GREEDYDATA:uri_para}" }
    }

( somtimes the indicator is an IP address and port and sometimes it's URL, that why my filter looks like that)

and my rule is like that:

the only problem is that I am getting this error while creating the rule so I couldn't test if it's working correctly :

So I created a new Topic here :

1 Like