SIEM Rules

SIEM Rules

Brad McCrillisBrad McCrillis Member
in SecOps Community

Curious, do people share rules here that they have developed? Based on seen activity or just rules in Dev?

For example, we are working on a C2 rule. We are regexing the IP from the command line when putty or other SSH tools are used to make an external connection.

<snip>

    $PuttyIP = re.capture ($e1.target.process.command_line, `(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})`)

    not ($PuttyIP = ""

        or net.ip_in_range_cidr($PuttyIP, "X.X.X.X/X")

        )


 match:

  $hostname, $PuttyIP over 1m


 condition:

  $e1


</snip>

Tagged:
Sign In or Register to comment.

SecOps Documentation

Read the latest guides, how-to’s and release notes related to SecOps platform.

Chronicle SIEM Chronicle SOAR

© Copyright 2022 SecOps Community