You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/cse/rules/cse-rules-syntax.md
+1-6Lines changed: 1 addition & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -645,16 +645,11 @@ When an entity is processed by a rule using the `hasThreatMatch` function and is
645
645
Parameters:
646
646
***`<fields>`**. A list of comma-separated [field names](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/schema/full_schema.md). At least one field name is required.
647
647
***`<filters>`**. A logical expression using [indicator attributes](/docs/security/threat-intelligence/upload-formats/#normalized-json-format). Allowed in the filtering are parentheses `()`; `OR` and `AND` boolean operators; and comparison operators `=`, `<`, `>`, `=<`, `>=`, `!=`. <br/>You can filter on the following indicator attributes:
648
-
*`actors`. An identified threat actor such as an individual, organization, or group.
649
648
*`confidence` Confidence that the data represents a valid threat, where 100 is highest. Malicious confidence scores from different sources are normalized and mapped to a 0-100 numerical value.
650
-
*`id`. ID of the indicator.
651
649
*`indicator`. Value of the indicator, such as an IP address, file name, email address, etc.
652
-
*`killChain`. The various phases an attacker may undertake to achieve their objectives (for example, `reconnaissance`, `weaponization`, `delivery`, `exploitation`, `installation`, `command-and-control`, `actions-on-objectives`).
653
650
*`source`. The source in the Sumo Logic datastore displayed in the **Threat Intelligence** tab.
654
-
*`threatType`. The threat type of the indicator (for example, `anomalous-activity`, `anonymization`, `benign`, `compromised`, `malicious-activity`, `attribution`, `unknown`).
651
+
*`threat_type`. The threat type of the indicator (for example, `anomalous-activity`, `anonymization`, `benign`, `compromised`, `malicious-activity`, `attribution`, `unknown`).
655
652
*`type`. The indicator type (for example, `ipv4-addr`, `domain-name`, `'file:hashes`, etc.)
656
-
*`validFrom`. Beginning time this indicator is valid.
657
-
*`validUntil`. Ending time this indicator is valid.
658
653
***`<indicators>`**. An optional case insensitive option that describes how indicators should be matched with regard to their validity. Accepted values are:
659
654
*`active_indicators`. Match active indicators only (default).
660
655
*`expired_indicators`. Match expired indicators only.
0 commit comments