规则与构建块

when an event matches any of the following BB:CategoryDefinition: Authentication
and when the event(s) were detected by one or more of Windows Auth Server
and when any of Source IP are contained in any of Reference Set [Suspicious_IPs]

# AND 逻辑（同时满足）
when sourceip = '192.168.1.100'
and when destinationport = 22

# OR 逻辑（满足其一）
when username = 'admin'
or when username = 'root'

# NOT 逻辑
when sourceip != '127.0.0.1'

# IN 列表
when sourceip IN [10.0.0.1, 10.0.0.2, 10.0.0.3]

# CONTAINS 包含
when username CONTAINS 'admin'

# 5 分钟内发生 10 次
when at least 10 events are seen
within 5 minutes

# 1 小时内首次出现
when an event matches this exact condition
and when the event is not part of an existing offense
and when this event is the first event
within 1 hour

# 生成 Offense
emit an offense named "Suspicious Authentication from Known Bad IP"

# 发送邮件
and send email to [email protected]

# 添加到引用集
and add Source IP to Reference Set [Blocked_IPs] with a TTL of 7 days

# 设置 Magnitude
and set the magnitude to 8

# 指派给特定用户
and assign the offense to user analyst1

# 执行自定义动作（需开发）
and execute custom action "Block_IP_Firewall"

Limit the number of offenses created per hour to 10
Limit the number of events tracked per offense to 100

when an event matches any condition  # 过于宽泛！
and when sourceip = '192.168.1.100'  # 具体条件放后面

when the events were detected by one or more of [特定日志源]  # 先限定范围
and when sourceip = '192.168.1.100'  # 再放具体条件
and when QIDNAME(qid) = 'Failed Login'  # 精确匹配事件类型

Admin > System Settings > Event Pipeline > Rule Profiler
- 启用后会记录每条规则的执行时间和匹配次数
- 在 Dashboard > Rule Performance 查看结果

规则名称：Brute Force Login Detection

Test:
when an event matches any of the following BB:CategoryDefinition: Authentication
and when QIDNAME(qid) = 'Failed Login'
and when the events were detected by one or more of [Authentication Servers]
and when at least 5 events are seen
within 5 minutes
from the same Source IP

Action:
emit an offense named "Brute Force Login Attempts from {sourceip}"
and set the credibility to 8
and set the relevance to 7
and set the severity to 7
and send email to [email protected]

Rule Response:
Limit the number of offenses created per hour to 10
Limit the number of events tracked per offense to 100

规则名称：Off-Hours Admin Login

Test:
when an event matches any of the following BB:CategoryDefinition: Authentication
and when QIDNAME(qid) = 'Successful Login'
and when username IN [admin, administrator, root]
and when the event occurs
between 22:00 and 06:00

Action:
emit an offense named "Off-Hours Admin Login: {username}"
and set the magnitude to 6

规则名称：Lateral Movement Detection

Test:
when an event matches any of the following BB:CategoryDefinition: Authentication
and when QIDNAME(qid) = 'Successful Login'
and when the events were detected by one or more of [Workstation Logs]
and when at least 3 different Destination IP
are seen within 10 minutes
from the same username

Action:
emit an offense named "Possible Lateral Movement: {username}"
and set the severity to 8

规则名称：Suspected DGA Domain Query

Test:
when an event matches any of the following BB:CategoryDefinition: DNS
and when the domain length > 20
and when the domain matches regex [a-z]{16,}\.(com|net|org)

Action:
emit an offense named "Suspected DGA Domain: {domain}"
and add domain to Reference Set [Suspicious_Domains]

[Authentication] Brute Force Login Detection
[Network] Port Scan from External IP
[Malware] C2 Communication Detected
[Insider] Off-Hours Data Access
[Compliance] PCI-DSS Failed Audit