Gus rules recomm.

examples/netwatch_templates/domain.yara

@@ -1,8 +1,8 @@
 rule network_watch_${domain_escaped} : ${domain_escaped} {
 meta:
-  description = "Monitor new domains for ${domain}"
+  description = "Monitor new subdomains for ${domain}"
   target_entity = "domain"
 condition:
   vt.net.domain.new_domain and
-  vt.net.domain.raw endswith "${domain}"
+  vt.net.domain.root == "${domain}"
 }

examples/netwatch_templates/file.yara

@@ -1,8 +1,8 @@
 rule network_watch_${domain_escaped} : ${domain_escaped} {
 meta:
-  description = "New files downloaded from domain ${domain}"
+  description = "New files downloaded from ${domain}"
   target_entity = "file"
 condition:
   vt.metadata.new_file and
-  vt.metadata.itw.domain.raw iendswith "${domain}"
+  vt.metadata.itw.domain.root == "${domain}"
 }

examples/netwatch_templates/ip_address.yara

@@ -1,7 +1,8 @@
 rule network_watch_${domain_escaped} : ${domain_escaped} {
 meta:
-  description = "New IP addresses resolving domain ${domain}"
+  description = "New IP addresses resolving domain ${domain} or its subdomains"
   target_entity = "ip_address"
 condition:
-  vt.net.ip.reverse_lookup iendswith "${domain}"
+  vt.net.ip.reverse_lookup == "${domain}"
+  vt.net.ip.reverse_lookup endswith ".${domain}"
 }

examples/netwatch_templates/url.yara

@@ -4,5 +4,5 @@ meta:
   target_entity = "url"
 condition:
   vt.net.url.new_url and
-  vt.net.domain.raw == "${domain}"
+  vt.net.domain.root == "${domain}"
 }