IBM QRadar: Rules: Difference between revisions
| (10 intermediate revisions by the same user not shown) | |||
| Line 12: | Line 12: | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! | ! Rule !! Description | ||
|- | |- | ||
| | |||
Apply '''Potential Windows Enumeration Detected'''</br> | Apply '''Potential Windows Enumeration Detected'''</br> | ||
'''and''' when an event matches '''any''' of the following '''BB: Windows Endpoint Events'''</br> | '''and''' when an event matches '''any''' of the following '''BB: Windows Endpoint Events'''</br> | ||
'''and''' when the event matches '''Event ID is any of 4688'''</br> | '''and''' when the event matches '''Event ID is any of 4688'''</br> | ||
'''and''' when the event matches '''Command (custom) any of [whoami or tasklist or system info]'''</br> | '''and''' when the event matches '''Command (custom) any of [whoami or tasklist or system info]'''</br> | ||
'''and NOT''' when the source OP is on of the following '''IP addresses''' || | '''and NOT''' when the source OP is on of the following '''IP addresses''' | ||
|| Comandos que hackers pegam informações em servidores MS Windows | |||
|- | |- | ||
| | | | ||
Apply '''Login After Work Hours'''</br> | |||
'''and NOT''' when the event occur between '''09:00''' AND '''17:00'''</br> | |||
'''and''' when an event were detected by on or more of '''Netgate pfSense'''</br> | |||
'''and''' when the event QID is one of the following '''(11xx) pfSense - Login on console''' | |||
|| | |||
Login após horário de trabalho | |||
|- | |- | ||
| | | . || . | ||
|} | |} | ||
== Exemplo: (Github) Sigma - Curl Download And Execute Combination == | |||
* [https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml (Github) Sigma - Curl Download And Execute Combination] | |||
title: Curl Download And Execute Combination | |||
... | |||
selection: | |||
CommandLine|contains|windash: ' -c ' | |||
CommandLine|contains|all: | |||
- 'curl ' | |||
- 'http' | |||
- '-o' | |||
- '&' | |||
condition: selection | |||
And in IBM QRadar Rule: | |||
Apply '''Curl Download And Execute Combination''' | |||
'''and''' when an event matches '''any''' of the following '''BB: Windows Endpoint Events''' | |||
'''and''' when the event matches '''Event ID is any of 4688''' | |||
'''and''' when the event matches '''Command (custom) contains all of [/c or curl or http or -o or &]''' | |||
= Ver também = | = Ver também = | ||
Latest revision as of 19:20, 19 January 2025
Uma Rule (regra) é um grupo de testes que podem desencadear uma ação se condições específicas forem atendidas.
Artigos
Exemplos
| Rule | Description |
|---|---|
|
Apply Potential Windows Enumeration Detected |
Comandos que hackers pegam informações em servidores MS Windows |
|
Apply Login After Work Hours |
Login após horário de trabalho |
| . | . |
Exemplo: (Github) Sigma - Curl Download And Execute Combination
title: Curl Download And Execute Combination
...
selection:
CommandLine|contains|windash: ' -c '
CommandLine|contains|all:
- 'curl '
- 'http'
- '-o'
- '&'
condition: selection
And in IBM QRadar Rule:
Apply Curl Download And Execute Combination and when an event matches any of the following BB: Windows Endpoint Events and when the event matches Event ID is any of 4688 and when the event matches Command (custom) contains all of [/c or curl or http or -o or &]