From bb28242dd874a0d7abf3ff9509f5cf8ee5efdbfc Mon Sep 17 00:00:00 2001
From: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Date: Mon, 11 Dec 2023 10:26:45 +0200
Subject: [PATCH] Add references to rules (cisco_umbrella_dns_rules) (#1002)

---
 rules/cisco_umbrella_dns_rules/domain_blocked.yml         | 1 +
 rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml | 1 +
 rules/cisco_umbrella_dns_rules/suspicious_domains.yml     | 1 +
 3 files changed, 3 insertions(+)

diff --git a/rules/cisco_umbrella_dns_rules/domain_blocked.yml b/rules/cisco_umbrella_dns_rules/domain_blocked.yml
index 8f18ca5e1..dab154b05 100644
--- a/rules/cisco_umbrella_dns_rules/domain_blocked.yml
+++ b/rules/cisco_umbrella_dns_rules/domain_blocked.yml
@@ -11,6 +11,7 @@ Tags:
 Severity: Low
 Description: Monitor blocked domains
 Runbook: Inspect the blocked domain and lookup for malware
+Reference: https://support.umbrella.com/hc/en-us/articles/230563627-How-to-determine-if-a-domain-or-resource-is-being-blocked-using-Chrome-Net-Internals
 SummaryAttributes:
   - action
   - internalIp
diff --git a/rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml b/rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml
index 971a1bb1e..d78c2ff06 100644
--- a/rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml
+++ b/rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml
@@ -9,6 +9,7 @@ LogTypes:
 Tags:
   - Configuration Required
   - DNS
+Reference: https://umbrella.cisco.com/blog/abcs-of-dns
 Severity: Medium
 Description: Identify lookups to suspicious domains that could indicate a phishing attack.
 Runbook: >
diff --git a/rules/cisco_umbrella_dns_rules/suspicious_domains.yml b/rules/cisco_umbrella_dns_rules/suspicious_domains.yml
index f81de366e..f73d3fd60 100644
--- a/rules/cisco_umbrella_dns_rules/suspicious_domains.yml
+++ b/rules/cisco_umbrella_dns_rules/suspicious_domains.yml
@@ -9,6 +9,7 @@ LogTypes:
 Tags:
   - DNS
   - Configuration Required
+Reference: https://umbrella.cisco.com/blog/abcs-of-dns
 Severity: Low
 Description: Monitor suspicious or known malicious domains
 Runbook: Inspect the domain and check the host for other indicators of compromise