Skip to content

Commit 9979e97

Browse files
jpipkin1jpipkin1
committed
Update hasThreatMatch example
1 parent c6682a3 commit 9979e97

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

docs/cse/rules/cse-rules-syntax.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -671,7 +671,7 @@ For example:
671671
* `hasThreatMatch([dstDevice_ip], confidence > 1 AND (type="ipv4-addr" OR type="ipv6-addr"))`
672672
* `hasThreatMatch([file_hash_imphash, file_hash_md5, file_hash_pehash, file_hash_ssdeep, file_hash_sha1, file_hash_sha256], confidence > 1 AND type="file:hashes")`
673673
* `hasThreatMatch([http_url], confidence > 1 AND type="url")`
674-
* `hasThreatMatch([srcDevice_ip], confidence > 1 AND (type="ipv4-addr" OR type="ipv6-addr"))`
674+
* `hasThreatMatch([dstDevice_ip, srcDevice_ip], (confidence >1 AND confidence <50) AND (type='ipv4-addr' OR type='ipv6-addr'))`
675675

676676
Following are the standard indicator types you can filter on:
677677
* `file:hashes`. File hash. (If you want to add the hash algorithm, enter `file:hashes.<HASH-TYPE>`. For example, `[file:hashes.MD5 = '5d41402abc4b2a76b9719d911017c592']` or `[file:hashes.'SHA-256' = '50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c']`.)

0 commit comments

Comments
 (0)