Last active
November 15, 2021 13:50
-
-
Save ertugrulakbas/42ea406bd0b4d602314019103aa7ae26 to your computer and use it in GitHub Desktop.
Advanced SIEM Rules
We can make this file beautiful and searchable if this error is corrected: No commas found in this CSV file in line 0.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 aydan daha uzun süredir login olmayan kulullanıcı varsa uyar | |
30 günden uzun süredir şifre degiştirmeyen kullanıcı olursa uyar | |
4 saatten uzun RDP i açık kalan olursa uyar | |
4 saatten uzun VPN i açık kalan olursa uyar | |
5 dakikada 1000 MB veya daha fazla download eden veya 10 dakikada aynı hedef IP/Domain den 500 MB download eden olursa uyar | |
72 saatten fazla süredir IP degiştirmeyen cihaz (MAC) olursa uyar | |
Abnormail mail to/from acbfgtysss.xy for the organization | |
Abnormal activity duration/session count | |
Abnormal amount of bytes transmitted | |
Abnormal amount of bytes transmitted over DNS - firewall | |
Abnormal amount of data egressed to competitor domains compared to past behavior | |
Abnormal amount of data egressed to non-business domains compared to past behavior | |
Abnormal amount of data egressed to personal email account compared to past behavior | |
Abnormal amount of data egressed to removable media compared to past behavior | |
Abnormal amount of login attempt detected on MFA | |
Abnormal Email counts | |
Abnormal session start time | |
Access to internal applications / servers/ peers | |
Account creation/ disable/ lockout / deletion rates | |
Activity duration/ session counts | |
Authentication anomaly-Country Mismatch | |
Aynı anda aynı kullanıcı bir makinaya VPN yaparken baska bir makinaya da RDP yaparsa uyar | |
Ayni kullanici ayni makinaya güün içerisinde hiç basarili oturum açmadan iki den fazla basarisiz oturum amarsa tespit et | |
Bir aydan daha eski bir ülkeden gelen trafik olursa uyar | |
Bir kullanıcı daha önce şirkette kimsenin gitmediği bir domaine günde en az 1 kere ve haftada 2 den fazla erisirse uyar | |
New city access for the first time | |
Credential switch to a privileged or execute sa | |
Eger bir domain son 24 saate oluşturuldu ise ve bu domain Alexa 1 milyon ve Cisco Umbrella 1 milyon listesinde ve bizim White liste de değilse uyar | |
En az 15 gündür (20-30-40-365 gün) hiç VPN yapmamis bir kullanici kisa süre içerisinde 1 den fazla workstationda Remote interactive logon olmussa uyar | |
En az 30 gündür veya daha fazla süredir (40 gün-60 gün-90 gün-365 gün gibi) suskun olan bir makine veya kullanici tekrar agda görülürse makinayi kapat ve kullanıcıyı disable et | |
En az son 30 güündür (20-30-40-365 gün) kullanilmayan standart proxy target portlari harici bir port yeniden kullanilmaya baslamissa ve bu port 1024 portundan büyük bir portsa birden fazla farkli dst ip adresine 5 dk içerisinde requestMethod=POST olacak sekilde çoklu istek yapiyorsa alarm trigger etsin | |
Entropy Mismatch | |
Excessive user logons on hosts | |
First access to database mssql for peer group HR | |
First access to database mssql for user | |
First access to device for the user | |
First activity from ISP | |
First connection from Source IP | |
First mail to/from acbfgtysss.xy for the organization | |
First remote login to device for the user | |
First switch to target account sa for the user | |
First time user is performing an activity from | |
First VPN connection from device for the user | |
Haftada 1 den fazla locklanan veya ayda 2 den fazla locklanan kullanıcıyı tespit et | |
Herhangi bir makine gün içerisinde farklı farklı saatlerde en az 3 veya daha fazla kez firewall tarafından bloklanıyorsa tespit et | |
High number of accounts from the same ipaddress for authentication failures or lockout events | |
High number of accounts from the same ipaddress for successful authentications or run as events | |
High number of accounts used on a workstation for authentication failures or lockout events | |
High number of accounts used on a workstation for successful authentications or run as events | |
High number of hosts accessed for authentication failures or lockout events | |
High number of hosts accessed for successful authentication events or run as events | |
High number of hosts accessed while enumerating critical ports | |
High number of redirected/blocked attempts | |
High number of run as activity across hosts | |
High number of server errors | |
If a user accesses sensitive files and at the same time the same user has a connection to file sharing sites then notify | |
If an account not used in at least the last 30 days (31-40-60-90-180 days etc.) notify/lock/delete the account automatically | |
If the domain was created within last 24 hours and not in Alexa 1 million and Cisco Umbrealla 1 million then notify | |
Iki login arasindaki süre 1 dakikadan az ise uyar | |
Iki login failed arasindaki süre 1 dakikadan az ise uyar | |
Impossible Travel Detection in Real-Time (VPN Anomaly) | |
Kapanan bir sunucu 4 saattir ayağa kalkmadı ise uyar | |
Kullanici oluşturuldu ve 72 saattir kullanılmadı ise uyar | |
Landspeed Anomaly detected | |
Lock olan bir kullanici 72 saat geçmesine rağmen unlock olmadi ise | |
Locked/disabled/expired account/restricted workstation logins | |
Logon from a rare country | |
New host logins | |
New processes / Registry changes | |
Odd time of access (first and last access) | |
Odd time of email activity | |
Odd time of logins | |
Oracle veritabani kullanici arayüzünden (Oracle Management Studio) ve konsoldan (SQL*Plus) ayni anda kimlik dogrulama hatasi verirse uyar | |
Orijinal mail adresine benzer mail adreslerinden mail gelirse uyar | |
Password change rates | |
Password changes for the same user more than 3 within 45 days | |
Password spraying attempts from one account to multiple applications_enumeration | |
Possible brute force attack detected on MFA | |
Successful password spraying attempt from one account to multiple applications | |
Successful/Failedlogin activity rates | |
Suspicious / disposable domains | |
Upload/download deviations | |
Virüs bulundu ve 8 saaten fazladir temizlenmedi ise uyar | |
VPN connection from a known anonymous proxy | |
Suspicious creation of new network ACL | |
Suspicious creation of security group | |
Suspicious deleting a rule from a network ACL | |
Suspicious deletion of customer gateway | |
Abnormal number of discover requests from a client |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment