Hello, I am using logsatsh to enrich my SIEM with malicious Urls that I downloaded from URLHaus, and I wanna create a rule that send an alert everytime a user connect to one of the malicious urls. The problem is that I didn't find a field in packetbeat which contains the full url, so I couldn't u…

Is this specifically in the SIEM app?

it's for security reaspns, to detect malicious connections, so yes it's for SIEM utilisation

Ok, if it's in the SIEM app though I will move the topic to that category.

Hi @TheHunter1 , Elastic Common Schema[1] defines a field for storing the complete URL as url.full, as documented here . Packetbeat populates the url.full field for http events (i.e., where network.protocol: "http"). url.full is not populated in DNS or TLS events from Packetbeat, because the URL is…

Thanks for all your exaplanation @Mike_Paquette , it was so clair so as I can understand I can't use the rule Match in this case as there is no field that contains the full URL in DNS and TLS is there a posibility to create a rule with something like IN to match just some of the full URL Exemple: …

Hello, Can you tell me please what kind of alerting mechanism you're using ? Watcher SIEM Detections Also is the URLhaus events stored in a different index than your packetbeat or are these fields on the same Document ? Thank you

Thanks for your answer @hilo21 , So I want if possibile to create a rule from the SIEM detections without using a script to create a watcher, unless if there is no way to do it with the SIEM rules. and for your second question, I configured logsatsh to download the URLHaus database each 24h and sto…

Hi @TheHunter1 To further clarify your question, I think you are asking if a SIEM/Security App detection rule can MATCH a keyword field such as dns.question.name or destination.domain when the keyword field value is contained in the URL field. Like this (shown with the Security App Indicator Match…

Thanks for your answer @Mike_Paquette , But by doing that I think that it won't work as there is not a 100% MATCH between the 2 urls. The threat url: http://www.davidephoto.it/GsnIO/ dns.question.name in packetbeat field: www.davidephoto.it I think theMatch will work only if there is a 100% matc…

One way of manh to do this is to use elasticsearch filter plugin in packetbeat logstash pipeline to send a DSL query to elasticsearch for whatever index you want. I guess whith some testing you would be able to do it. Try wildcard query maybe it will work. Never used it in this use case but you can …

[ URLHaus threat intelligence ]: create a new rule

Elastic Security SIEM

Mike_Paquette (Mike Paquette) January 19, 2021, 2:46pm 17

So if I understand well, there is no way to create a rule to track malicious URLs if it's using https, right ?

Yes, that's correct for Packetbeat and other passive network monitoring /data collection systems.

Topic		Replies	Views
Issue with rules creation SIEM detection-rules	15	1927	May 5, 2022
SIEM can't detect DNS activity to Internet SIEM	21	1567	July 15, 2020
Indicator Match Detection Rule Not Matched and Mapped to Intel Feeds SIEM detection-rules	17	2519	April 1, 2021
Security Detection Rules ( SIEM ) Elasticsearch	0	141	May 24, 2024
Elastic Rule Alert With External hyper link field creation in highlighted Fields [feature request] SIEM	3	43	March 13, 2026

[ URLHaus threat intelligence ]: create a new rule

Related topics