From df8d1c342df06e75eeb7a4002d289e907460dd81 Mon Sep 17 00:00:00 2001
From: Francisco Santos <fsantos@virustotal.com>
Date: Tue, 26 Sep 2023 12:50:32 +0200
Subject: [PATCH] Network watch track behaviour

---
 examples/netwatch_templates/file.yara | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/examples/netwatch_templates/file.yara b/examples/netwatch_templates/file.yara
index c133315..b32ef09 100644
--- a/examples/netwatch_templates/file.yara
+++ b/examples/netwatch_templates/file.yara
@@ -6,3 +6,14 @@ condition:
   vt.metadata.new_file and
   vt.metadata.itw.domain.root == "${domain}"
 }
+
+
+rule network_watch_contact_${domain_escaped} : ${domain_escaped} {
+meta:
+  description = "New files contacting ${domain}"
+  target_entity = "file"
+condition:
+  for any lookup in vt.behaviour.dns_lookups : (
+    lookup.hostname iequals "${domain}"
+  )
+}