From 756cb5ed4b6e6a2de9e4af851126786a13ec637d Mon Sep 17 00:00:00 2001 From: Charles Ngor Date: Wed, 13 Mar 2024 19:02:39 +0100 Subject: [PATCH] Improve warning message --- _shared_content/ioccollections.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/_shared_content/ioccollections.md b/_shared_content/ioccollections.md index 29b377eb70..5385f0aa83 100644 --- a/_shared_content/ioccollections.md +++ b/_shared_content/ioccollections.md @@ -37,8 +37,7 @@ Each indicator inside the collection can have the following properties: - Description: any text that would add additional context. It is limited to **500 characters** !!! warning - If you select the kill chain ‘Command a Control’ when importing indicators in an IOC collection, our retrohunt engine will look only into `destination.ip`. - This reduces false positives, as C2 servers tend to scan networks a lot. By doing this, we look for slave servers that respond to a C2 server. + If you select the kill chain phase 'Command and Control' when importing IP addresses in an IOC collection, our detection engines will only look into `destination.ip`. This is meant to reduce false positives, such as network scans. ### Limitations