id: host_only_from_bruteforce
version: 1
meta:
  name: Host only from bruteforcing
  description: >
    A hostname was found only by brute-forcing but nowhere else.

    Since the host was not found anywhere else, this may indicate
    that the host is in some way special, perhaps not intended to
    be publicly exposed/used.
  risk: LOW
collections:
  - collect:
      - method: exact
        field: type
        value: INTERNET_NAME
      - method: exact
        field: module
        value: sfp_dnsbrute
  - collect:
      - method: exact
        field: type
        value: INTERNET_NAME
      - method: exact
        field: module
        value: not sfp_dnsbrute
aggregation:
  field: data
analysis:
  - method: first_collection_only
    field: data
headline: "Host found only through bruteforcing: {data}"