Uma Rule (regra) é um grupo de testes que podem desencadear uma ação se condições específicas forem atendidas.

Artigos

Everything you need to know about QRadar Rules (for beginners and experts)

(Github) Sigma - Generic Signature Format for SIEM Systems

Exemplos

Rule	Description
Apply Potential Windows Enumeration Detected and when an event matches any of the following BB: Windows Endpoint Events and when the event matches Event ID is any of 4688 and when the event matches Command (custom) any of [whoami or tasklist or system info] and NOT when the source OP is on of the following IP addresses	Comandos que hackers pegam informações em servidores MS Windows
.	.
.	.

Exemplo: (Github) Sigma - Curl Download And Execute Combination

(Github) Sigma - Curl Download And Execute Combination

selection:
  CommandLine|contains|windash: ' -c '
  CommandLine|contains|all:
    - 'curl '
    - 'http'
    - '-o'
    - '&'
condition: selection

And in IBM QRadar Rule:

Apply Potential Windows Enumeration Detected
and when an event matches any of the following BB: Windows Endpoint Events
and when the event matches Event ID is any of 4688
and when the event matches Command (custom) any of [/c or curl or http or -o or &]

Ver também