Closed MakoWish closed 1 year ago
I have been trying to exclude these indicator documents with the query, and I cannot seem to exclude empty strings. Querying threat.indicator.file.pe.imphash:*
does include fields with empty strings (the problem here), but I also tried and not threat.indicator.file.pe.imphash:''
to no avail. Thinking more about this, it may need to be an update to the ingest pipeline for the TI integrations to remove the empty fields during ingest.
Thoughts?
Describe the bug Quite a lot of Threat Intel indicators contain empty fields for the hashes. This is causing false positives for events that do not do not contain the field.
Expected behavior Rule should not match events to indicators with empty indicator fields.
Screenshots
Desktop (please complete the following information):
Additional context
In the following threat intel document from MalwareBazaar, the field
threat.indicator.file.pe.imphash
is empty, and this is causing an incredible number of false-positive matches.