IBM QRadar: Rules: Difference between revisions
(Created page with "Uma Rule (regra) é um grupo de testes que podem desencadear uma ação se condições específicas forem atendidas. = Artigos = * [https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2022/09/29/everything-you-need-to-know-about-qradar-rules Everything you need to know about QRadar Rules (for beginners and experts)] * [https://github.com/SigmaHQ/sigma (Github) Sigma - Generic Signature Format for SIEM Systems] = Exemplos = {| class="wikitable" |...") |
|||
| Line 15: | Line 15: | ||
|- | |- | ||
| Windows Events || | | Windows Events || | ||
Apply '''Potential Windows Enumeration Detected''' | Apply '''Potential Windows Enumeration Detected'''</br> | ||
'''and''' when an event matches '''any''' of the following '''BB: Windows Endpoint Events''' | '''and''' when an event matches '''any''' of the following '''BB: Windows Endpoint Events'''</br> | ||
'''and''' when the event matches '''Event ID is any of 4688''' | '''and''' when the event matches '''Event ID is any of 4688'''</br> | ||
'''and''' when the event matches '''Command (custom) any of [whoami or tasklist or system info]''' | '''and''' when the event matches '''Command (custom) any of [whoami or tasklist or system info]'''</br> | ||
'''and NOT''' when the source OP is on of the following '''IP addresses''' || Example | '''and NOT''' when the source OP is on of the following '''IP addresses''' || Example | ||
|- | |- | ||
Revision as of 18:47, 19 January 2025
Uma Rule (regra) é um grupo de testes que podem desencadear uma ação se condições específicas forem atendidas.
Artigos
Exemplos
| Header text | Header text | Header text |
|---|---|---|
| Windows Events |
Apply Potential Windows Enumeration Detected | |
| Example | Example | Example |
| Example | Example | Example |