12 lines
346 B
Plaintext
12 lines
346 B
Plaintext
@load base/frameworks/intel
|
|
@load ./where-locations
|
|
|
|
event file_hash(f: fa_file, kind: string, hash: string) &group="Intel::FILE_HASH"
|
|
{
|
|
local seen = Intel::Seen($indicator=hash,
|
|
$indicator_type=Intel::FILE_HASH,
|
|
$f=f,
|
|
$where=Files::IN_HASH);
|
|
|
|
Intel::seen(seen);
|
|
} |