IBM QRadar: Rules: Difference between revisions

From Wiki
No edit summary
No edit summary
Line 7: Line 7:


* [https://github.com/SigmaHQ/sigma (Github) Sigma - Generic Signature Format for SIEM Systems]
* [https://github.com/SigmaHQ/sigma (Github) Sigma - Generic Signature Format for SIEM Systems]
* [https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml (Github) Sigma - Curl Download And Execute Combination]


= Exemplos =
= Exemplos =
Line 28: Line 26:
| . || .
| . || .
|}
|}
== Exemplo: (Github) Sigma - Curl Download And Execute Combination ==
* [https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml (Github) Sigma - Curl Download And Execute Combination]
selection:
  CommandLine|contains|windash: ' -c '
  CommandLine|contains|all:
    - 'curl '
    - 'http'
    - '-o'
    - '&'
condition: selection


= Ver também =
= Ver também =

Revision as of 18:57, 19 January 2025

Uma Rule (regra) é um grupo de testes que podem desencadear uma ação se condições específicas forem atendidas.


Artigos

Exemplos

Rule Description

Apply Potential Windows Enumeration Detected
and when an event matches any of the following BB: Windows Endpoint Events
and when the event matches Event ID is any of 4688
and when the event matches Command (custom) any of [whoami or tasklist or system info]
and NOT when the source OP is on of the following IP addresses

Comandos que hackers pegam informações em servidores MS Windows
. .
. .

Exemplo: (Github) Sigma - Curl Download And Execute Combination

selection:
  CommandLine|contains|windash: ' -c '
  CommandLine|contains|all:
    - 'curl '
    - 'http'
    - '-o'
    - '&'
condition: selection


Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_QRadar:_Rules&oldid=9204"