IBM QRadar: Rules: Difference between revisions

From Wiki
 
(3 intermediate revisions by the same user not shown)
Line 5: Line 5:


* [https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2022/09/29/everything-you-need-to-know-about-qradar-rules Everything you need to know about QRadar Rules (for beginners and experts)]
* [https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2022/09/29/everything-you-need-to-know-about-qradar-rules Everything you need to know about QRadar Rules (for beginners and experts)]
= Exemplos =


* [https://github.com/SigmaHQ/sigma (Github) Sigma - Generic Signature Format for SIEM Systems]
* [https://github.com/SigmaHQ/sigma (Github) Sigma - Generic Signature Format for SIEM Systems]
* [https://github.com/Xboarder56/QRCE-Rules (Github) Open Source Rules for QRadar QRCE]


= Exemplos =
= Exemplos =
Line 34: Line 38:
'''and''' when the event QID is one of the following </br> '''(38750076) Disk Sentry Disk Usage Exceed Warn Threshold''',</br>  '''(38750038) Disk sentry disk usage exceeded threshold'''
'''and''' when the event QID is one of the following </br> '''(38750076) Disk Sentry Disk Usage Exceed Warn Threshold''',</br>  '''(38750038) Disk sentry disk usage exceeded threshold'''
||
||
Alerta de Falta de Espaço em Disco
Alerta de Falta de Espaço em Disco</br>
O IBM QRadar Disk Sentry monitora as partições /, /store, /storetmp, /transient e /var/log antes que elas atinjam um limite de uso predefinido.
O IBM QRadar Disk Sentry monitora as partições /, /store, /storetmp,</br> /transient e /var/log antes que elas atinjam um limite de uso predefinido.
|-
|-
|
|

Latest revision as of 19:51, 2 March 2025

Uma Rule (regra) é um grupo de testes que podem desencadear uma ação se condições específicas forem atendidas.


Artigos

Exemplos

Exemplos

Rule Description

Apply Potential Windows Enumeration Detected
and when an event matches any of the following BB: Windows Endpoint Events
and when the event matches Event ID is any of 4688
and when the event matches Command (custom) any of [whoami or tasklist or system info]
and NOT when the source OP is on of the following IP addresses

Comandos que hackers pegam informações em servidores MS Windows

Apply Login After Work Hours
and NOT when the event occur between 09:00 AND 17:00
and when an event were detected by on or more of Netgate pfSense
and when the event QID is one of the following (11xx) pfSense - Login on console

Login após horário de trabalho

Apply Disk Space Alert
and when the event QID is one of the following
(38750076) Disk Sentry Disk Usage Exceed Warn Threshold,
(38750038) Disk sentry disk usage exceeded threshold

Alerta de Falta de Espaço em Disco
O IBM QRadar Disk Sentry monitora as partições /, /store, /storetmp,
/transient e /var/log antes que elas atinjam um limite de uso predefinido.

Apply No Events on the last 2 hours
and when the event(s) have not beed detected by one or more of Log Source Group for NNN seconds

Log Source sem eventos a 2 horas

Apply Alert about dropped events
and when the event QID is one of the following
(38750060) Event pipeline dropped events

Alerta sobre eventos descartados

Exemplo: (Github) Sigma - Curl Download And Execute Combination

title: Curl Download And Execute Combination
...
selection:
  CommandLine|contains|windash: ' -c '
  CommandLine|contains|all:
    - 'curl '
    - 'http'
    - '-o'
    - '&'
condition: selection

And in IBM QRadar Rule: 

Apply Curl Download And Execute Combination
and when an event matches any of the following BB: Windows Endpoint Events
and when the event matches Event ID is any of 4688
and when the event matches Command (custom) contains all of [/c or curl or http or -o or &]

Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_QRadar:_Rules&oldid=9264"