Hello, I am using logsatsh to enrich my SIEM with malicious Urls that I downloaded from URLHaus, and I wanna create a rule that send an alert everytime a user connect to one of the malicious urls. The problem is that I didn't find a field in packetbeat which contains the full url, so I couldn't u…

So if I understand well, there is no way to create a rule to track malicious URLs if it's using https, right ? Yes, that's correct for Packetbeat and other passive network monitoring /data collection systems.

[ URLHaus threat intelligence ]: create a new rule

Elastic Security SIEM

hilo21 (Hamza Ouadiâ) January 14, 2021, 8:56pm 7

Hello,

Can you tell me please what kind of alerting mechanism you're using ?

Watcher
SIEM Detections

Also is the URLhaus events stored in a different index than your packetbeat or are these fields on the same Document ?

Thank you

Topic		Replies	Views
Issue with rules creation SIEM detection-rules	15	1877	May 5, 2022
SIEM can't detect DNS activity to Internet SIEM	21	1513	July 15, 2020
Indicator Match Detection Rule Not Matched and Mapped to Intel Feeds SIEM detection-rules	17	2468	April 1, 2021
Security Detection Rules ( SIEM ) Elasticsearch	0	130	May 24, 2024
Match rule not working SIEM elastic-stack-alerting	7	701	April 8, 2021

[ URLHaus threat intelligence ]: create a new rule

Related topics