ertugrulakbas/Advanced SIEM Rules.csv

## Advanced SIEM Rules.csv
2 aydan daha uzun süredir login olmayan kulullanıcı varsa uyar
30 günden uzun süredir şifre degiştirmeyen kullanıcı olursa uyar
4 saatten uzun RDP i açık kalan olursa uyar
4 saatten uzun VPN i açık kalan olursa uyar
5 dakikada 1000 MB veya daha fazla download eden veya 10 dakikada aynı hedef IP/Domain den 500 MB download eden olursa uyar
72 saatten fazla süredir IP degiştirmeyen cihaz (MAC) olursa uyar
Abnormail mail to/from acbfgtysss.xy for the organization
Abnormal activity duration/session count
Abnormal amount of bytes transmitted
Abnormal amount of bytes transmitted over DNS - firewall
Abnormal amount of data egressed to competitor domains compared to past behavior
Abnormal amount of data egressed to non-business domains compared to past behavior
Abnormal amount of data egressed to personal email account compared to past behavior
Abnormal amount of data egressed to removable media compared to past behavior
Abnormal amount of login attempt detected on MFA
Abnormal Email counts
Abnormal session start time
Access to internal applications / servers/ peers
Account creation/ disable/ lockout / deletion rates
Activity duration/ session counts
Authentication anomaly-Country Mismatch
Aynı anda aynı kullanıcı bir makinaya VPN yaparken baska bir makinaya da RDP yaparsa uyar
Ayni kullanici ayni makinaya güün içerisinde hiç basarili oturum açmadan iki den fazla basarisiz oturum amarsa tespit et
Bir aydan daha eski bir ülkeden gelen trafik olursa uyar
Bir kullanıcı daha önce şirkette kimsenin gitmediği bir domaine günde en az 1 kere ve haftada 2 den fazla erisirse uyar
New city access for the first time
Credential switch to a privileged or execute sa
Eger bir domain son 24 saate oluşturuldu ise ve bu domain Alexa 1 milyon ve Cisco Umbrella 1 milyon listesinde ve bizim White liste de değilse uyar
En az 15 gündür (20-30-40-365 gün) hiç VPN yapmamis bir kullanici kisa süre içerisinde 1 den fazla workstationda Remote interactive logon olmussa uyar
En az 30 gündür veya daha fazla süredir (40 gün-60 gün-90 gün-365 gün gibi) suskun olan bir makine veya kullanici tekrar agda görülürse makinayi kapat ve kullanıcıyı disable et
En az son 30 güündür (20-30-40-365 gün) kullanilmayan standart proxy target portlari harici bir port yeniden kullanilmaya baslamissa ve bu port 1024 portundan büyük bir portsa birden fazla farkli dst ip adresine 5 dk içerisinde requestMethod=POST olacak sekilde çoklu istek yapiyorsa alarm trigger etsin
Entropy Mismatch
Excessive user logons on hosts
First access to database mssql for peer group HR
First access to database mssql for user
First access to device for the user
First activity from ISP
First connection from Source IP
First mail to/from acbfgtysss.xy for the organization
First remote login to device for the user
First switch to target account sa for the user
First time user is performing an activity from
First VPN connection from device for the user
Haftada 1 den fazla locklanan veya ayda 2 den fazla locklanan kullanıcıyı tespit et
Herhangi bir makine gün içerisinde farklı farklı saatlerde en az 3 veya daha fazla kez firewall tarafından bloklanıyorsa tespit et
High number of accounts from the same ipaddress for authentication failures or lockout events
High number of accounts from the same ipaddress for successful authentications or run as events
High number of accounts used on a workstation for authentication failures or lockout events
High number of accounts used on a workstation for successful authentications or run as events
High number of hosts accessed for authentication failures or lockout events
High number of hosts accessed for successful authentication events or run as events
High number of hosts accessed while enumerating critical ports
High number of redirected/blocked attempts
High number of run as activity across hosts
High number of server errors
If a user accesses sensitive files and at the same time the same user has a connection to file sharing sites then notify
If an account not used in at least the last 30 days (31-40-60-90-180 days etc.) notify/lock/delete the account automatically
If the domain was created within last 24 hours and not in Alexa 1 million and Cisco Umbrealla 1 million then notify
Iki login arasindaki süre 1 dakikadan az ise uyar
Iki login failed arasindaki süre 1 dakikadan az ise uyar
Impossible Travel Detection in Real-Time (VPN Anomaly)
Kapanan bir sunucu 4 saattir ayağa kalkmadı ise uyar
Kullanici oluşturuldu ve 72 saattir kullanılmadı ise uyar
Landspeed Anomaly detected
Lock olan bir kullanici 72  saat geçmesine rağmen unlock olmadi ise
Locked/disabled/expired account/restricted workstation logins
Logon from a rare country
New host logins
New processes / Registry changes
Odd time of access (first and last access)
Odd time of email activity
Odd time of logins
Oracle veritabani kullanici arayüzünden (Oracle Management Studio) ve konsoldan (SQL*Plus) ayni anda kimlik dogrulama hatasi verirse uyar
Orijinal mail adresine benzer mail adreslerinden mail gelirse uyar
Password change rates
Password changes for the same user more than 3 within 45 days
Password spraying attempts from one account to multiple applications_enumeration
Possible brute force attack detected on MFA
Successful password spraying attempt from one account to multiple applications
Successful/Failedlogin activity rates
Suspicious / disposable domains
Upload/download deviations
Virüs bulundu ve 8 saaten fazladir temizlenmedi ise uyar
VPN connection from a known anonymous proxy
Suspicious creation of new network ACL
Suspicious creation of security group
Suspicious deleting a rule from a network ACL
Suspicious deletion of customer gateway
Abnormal number of discover requests from a client
	2 aydan daha uzun süredir login olmayan kulullanıcı varsa uyar
	30 günden uzun süredir şifre degiştirmeyen kullanıcı olursa uyar
	4 saatten uzun RDP i açık kalan olursa uyar
	4 saatten uzun VPN i açık kalan olursa uyar
	5 dakikada 1000 MB veya daha fazla download eden veya 10 dakikada aynı hedef IP/Domain den 500 MB download eden olursa uyar
	72 saatten fazla süredir IP degiştirmeyen cihaz (MAC) olursa uyar
	Abnormail mail to/from acbfgtysss.xy for the organization
	Abnormal activity duration/session count
	Abnormal amount of bytes transmitted
	Abnormal amount of bytes transmitted over DNS - firewall
	Abnormal amount of data egressed to competitor domains compared to past behavior
	Abnormal amount of data egressed to non-business domains compared to past behavior
	Abnormal amount of data egressed to personal email account compared to past behavior
	Abnormal amount of data egressed to removable media compared to past behavior
	Abnormal amount of login attempt detected on MFA
	Abnormal Email counts
	Abnormal session start time
	Access to internal applications / servers/ peers
	Account creation/ disable/ lockout / deletion rates
	Activity duration/ session counts
	Authentication anomaly-Country Mismatch
	Aynı anda aynı kullanıcı bir makinaya VPN yaparken baska bir makinaya da RDP yaparsa uyar
	Ayni kullanici ayni makinaya güün içerisinde hiç basarili oturum açmadan iki den fazla basarisiz oturum amarsa tespit et
	Bir aydan daha eski bir ülkeden gelen trafik olursa uyar
	Bir kullanıcı daha önce şirkette kimsenin gitmediği bir domaine günde en az 1 kere ve haftada 2 den fazla erisirse uyar
	New city access for the first time
	Credential switch to a privileged or execute sa
	Eger bir domain son 24 saate oluşturuldu ise ve bu domain Alexa 1 milyon ve Cisco Umbrella 1 milyon listesinde ve bizim White liste de değilse uyar
	En az 15 gündür (20-30-40-365 gün) hiç VPN yapmamis bir kullanici kisa süre içerisinde 1 den fazla workstationda Remote interactive logon olmussa uyar
	En az 30 gündür veya daha fazla süredir (40 gün-60 gün-90 gün-365 gün gibi) suskun olan bir makine veya kullanici tekrar agda görülürse makinayi kapat ve kullanıcıyı disable et
	En az son 30 güündür (20-30-40-365 gün) kullanilmayan standart proxy target portlari harici bir port yeniden kullanilmaya baslamissa ve bu port 1024 portundan büyük bir portsa birden fazla farkli dst ip adresine 5 dk içerisinde requestMethod=POST olacak sekilde çoklu istek yapiyorsa alarm trigger etsin
	Entropy Mismatch
	Excessive user logons on hosts
	First access to database mssql for peer group HR
	First access to database mssql for user
	First access to device for the user
	First activity from ISP
	First connection from Source IP
	First mail to/from acbfgtysss.xy for the organization
	First remote login to device for the user
	First switch to target account sa for the user
	First time user is performing an activity from
	First VPN connection from device for the user
	Haftada 1 den fazla locklanan veya ayda 2 den fazla locklanan kullanıcıyı tespit et
	Herhangi bir makine gün içerisinde farklı farklı saatlerde en az 3 veya daha fazla kez firewall tarafından bloklanıyorsa tespit et
	High number of accounts from the same ipaddress for authentication failures or lockout events
	High number of accounts from the same ipaddress for successful authentications or run as events
	High number of accounts used on a workstation for authentication failures or lockout events
	High number of accounts used on a workstation for successful authentications or run as events
	High number of hosts accessed for authentication failures or lockout events
	High number of hosts accessed for successful authentication events or run as events
	High number of hosts accessed while enumerating critical ports
	High number of redirected/blocked attempts
	High number of run as activity across hosts
	High number of server errors
	If a user accesses sensitive files and at the same time the same user has a connection to file sharing sites then notify
	If an account not used in at least the last 30 days (31-40-60-90-180 days etc.) notify/lock/delete the account automatically
	If the domain was created within last 24 hours and not in Alexa 1 million and Cisco Umbrealla 1 million then notify
	Iki login arasindaki süre 1 dakikadan az ise uyar
	Iki login failed arasindaki süre 1 dakikadan az ise uyar
	Impossible Travel Detection in Real-Time (VPN Anomaly)
	Kapanan bir sunucu 4 saattir ayağa kalkmadı ise uyar
	Kullanici oluşturuldu ve 72 saattir kullanılmadı ise uyar
	Landspeed Anomaly detected
	Lock olan bir kullanici 72 saat geçmesine rağmen unlock olmadi ise
	Locked/disabled/expired account/restricted workstation logins
	Logon from a rare country
	New host logins
	New processes / Registry changes
	Odd time of access (first and last access)
	Odd time of email activity
	Odd time of logins
	Oracle veritabani kullanici arayüzünden (Oracle Management Studio) ve konsoldan (SQL*Plus) ayni anda kimlik dogrulama hatasi verirse uyar
	Orijinal mail adresine benzer mail adreslerinden mail gelirse uyar
	Password change rates
	Password changes for the same user more than 3 within 45 days
	Password spraying attempts from one account to multiple applications_enumeration
	Possible brute force attack detected on MFA
	Successful password spraying attempt from one account to multiple applications
	Successful/Failedlogin activity rates
	Suspicious / disposable domains
	Upload/download deviations
	Virüs bulundu ve 8 saaten fazladir temizlenmedi ise uyar
	VPN connection from a known anonymous proxy
	Suspicious creation of new network ACL
	Suspicious creation of security group
	Suspicious deleting a rule from a network ACL
	Suspicious deletion of customer gateway
	Abnormal number of discover requests from a client