IBM QRadar: Rules: Difference between revisions

From Wiki
 
(6 intermediate revisions by the same user not shown)
Line 7: Line 7:


* [https://github.com/SigmaHQ/sigma (Github) Sigma - Generic Signature Format for SIEM Systems]
* [https://github.com/SigmaHQ/sigma (Github) Sigma - Generic Signature Format for SIEM Systems]
* [https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml Curl Download And Execute Combination]


= Exemplos =
= Exemplos =
Line 24: Line 22:
|| Comandos que hackers pegam informações em servidores MS Windows
|| Comandos que hackers pegam informações em servidores MS Windows
|-
|-
| . || .
|
Apply '''Login After Work Hours'''</br>
'''and NOT''' when the event occur between '''09:00''' AND '''17:00'''</br>
'''and''' when an event were detected by on or more of '''Netgate pfSense'''</br>
'''and''' when the event QID is one of the following '''(11xx) pfSense - Login on console'''
||
Login após horário de trabalho
|-
|-
| . || .
| . || .
|}
|}
== Exemplo: (Github) Sigma - Curl Download And Execute Combination ==
* [https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml (Github) Sigma - Curl Download And Execute Combination]
title: Curl Download And Execute Combination
...
selection:
  CommandLine|contains|windash: ' -c '
  CommandLine|contains|all:
    - 'curl '
    - 'http'
    - '-o'
    - '&'
condition: selection
And in IBM QRadar Rule:
Apply '''Curl Download And Execute Combination'''
'''and''' when an event matches '''any''' of the following '''BB: Windows Endpoint Events'''
'''and''' when the event matches '''Event ID is any of 4688'''
'''and''' when the event matches '''Command (custom) contains all of [/c or curl or http or -o or &]'''


= Ver também =
= Ver também =

Latest revision as of 19:20, 19 January 2025

Uma Rule (regra) é um grupo de testes que podem desencadear uma ação se condições específicas forem atendidas.


Artigos

Exemplos

Rule Description

Apply Potential Windows Enumeration Detected
and when an event matches any of the following BB: Windows Endpoint Events
and when the event matches Event ID is any of 4688
and when the event matches Command (custom) any of [whoami or tasklist or system info]
and NOT when the source OP is on of the following IP addresses

Comandos que hackers pegam informações em servidores MS Windows

Apply Login After Work Hours
and NOT when the event occur between 09:00 AND 17:00
and when an event were detected by on or more of Netgate pfSense
and when the event QID is one of the following (11xx) pfSense - Login on console

Login após horário de trabalho

. .

Exemplo: (Github) Sigma - Curl Download And Execute Combination

title: Curl Download And Execute Combination
...
selection:
  CommandLine|contains|windash: ' -c '
  CommandLine|contains|all:
    - 'curl '
    - 'http'
    - '-o'
    - '&'
condition: selection

And in IBM QRadar Rule: 

Apply Curl Download And Execute Combination
and when an event matches any of the following BB: Windows Endpoint Events
and when the event matches Event ID is any of 4688
and when the event matches Command (custom) contains all of [/c or curl or http or -o or &]

Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_QRadar:_Rules&oldid=9209"