QRadar Creating a rule that fires with internal communication to C&C or bad site

preview_player
Показать описание
In the long title
  1. Jose Bravo
  2. Reference set
  3. ref set
  4. Rest API
  5. STIX/TAXII
  6. Soltra
Рекомендации по теме
QRadar: All about 0:22:50

QRadar: All about QRadar Rules - Part 1

QRadar Creating a 0:08:58

QRadar Creating a rule that fires with internal communication to C&C or bad site

Rule creation, use 0:14:10

Rule creation, use case creation Basic in Qradar SIEM

Creating behavior, anomaly 0:02:45

Creating behavior, anomaly and threshold rules in QRadar

QRadar: All about 0:17:20

QRadar: All about QRadar Rules - Part 2

QRadar: Creating Searches, 0:16:15

QRadar: Creating Searches, Rules and Offenses using Categories

Simple Tricks To 0:08:56

Simple Tricks To Improve your QRadar Part One

QRadar Rule creation: 0:11:46

QRadar Rule creation: Baseline of trusted users

QRadar Why isn't 0:07:12

QRadar Why isn't my rule firing? Part 7. Troubleshooting multi test rules

QRadar CE 733 0:12:42

QRadar CE 733 Intro to Rules Offense and Searches

QRadar Automating with 0:04:40

QRadar Automating with Offenses

QRadar Why isn't 0:13:18

QRadar Why isn't my rule firing? Part 3. Our first rule

Creating and Debugging 0:05:30

Creating and Debugging Custom Rule Par 3 Payload Contains

My Take on 0:24:54

My Take on the Value of UBA in QRadar

QRadar Why isn't 0:05:42

QRadar Why isn't my rule firing? Part 5. Exporting and Importing Rules

SIEM Correlation Rules 0:15:08

SIEM Correlation Rules for Beginners

IBM QRadar UBA 0:10:55

IBM QRadar UBA tuning creating rules

QRadar Searches in 0:06:13

QRadar Searches in Six Minutes

QRadar CE - 0:05:05

QRadar CE - Dealing with Offenses

QRadar: All About 0:15:45

QRadar: All About Use Case Manager App - Part 1

QRadar Detecting multiple 0:09:47

QRadar Detecting multiple login failures to compliance servers

Mastering QRadar Rule 0:09:59

Mastering QRadar Rule Writing

QRadar: Unauthorized user 0:03:54

QRadar: Unauthorized user

QRadar Tuning Tips 0:04:59

QRadar Tuning Tips from Alaa Ali Part Three, Rules with most CRE events

Комментарии
Автор

Threat Intelligence App allows feeds of IOCs via STIX/TAXII to be placed on Reference sets for rules to use.
RFSI are mostly a set of smart rules.

jbravovideos
Автор

Jose - where is the best place to get the logs to replay as you have shown. Do you have any that can be used or is there a repository somewhere you van point us to?

collinp
Автор

what are the relations between Threat Intelligence app and Reference Set and the Package (RFISI) ?

tedahd
Автор

Mr Jose Bravo,
Your videos are quite usefull. Can u share related "data-sets" etc to allow us to complete the tutorial.

rktumuluri
Автор

Heyy, i am looking for a way to cater spaces in my command,

For example, i am testing a rule WMIC to execute local process.

The command to do this is.
Cmd>wmic process call create notepad.exe

Now, it can be any process in my rule i say, command contains any of wmic process call create but it do not works due to spaces b/w args.

How would you cater cases like these in which an offense should be generated based on the part of command available in event.

Thanks

djangoWarrir
Автор

Hi Jose Bravo,
Thanks for the video.
I'm unable create Authorized Service Token, saying application error. Could u please help me out.

jagadishyellulla