Phishing sites often use domains containing the brand name they're impersonating.
Let's find a phishing site where the domain contains "stripe"
This is a companion discussion topic for the original entry at https://phish.report/IOK/learn/010-hello-phish
Stuck? Here’s a minimal working rule:
detection:
containsStripe:
hostname|contains: "stripe"
condition: containsStripe
As IOK is based on the Sigma language, any Sigma tutorial will be helpful in learning e.g. SOC Level Up: Introduction to Sigma Rules
Or check out any of the rules in our open source repo: https://github.com/phish-report/IOK/tree/main/indicators