Detect attempts to run vulnerability scanners, etc. based on the Activate Attack Tool pattern group.
| matchsig field=domain guid="331ac759-22c0-456b-865b-5bbb537d732e" verify=f
| eval result = strjoin("\n", foreach(valueof(_1, "rule"), _matchsig_result)) | fields - _matchsig_result
