Correlation rules and BIOCs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Correlation rules and BIOCs

L2 Linker

Hi,

 

What correlation rules and BIOCs created manually do you suggest?

 

Regards,

Fábio Ferreira

1 accepted solution

Accepted Solutions

L0 Member

You can look into OSINT data bases like Sigma and analyze if it make sense to your organisation and the telemetry you are collecting and can work from there. Rules may be a bit noisy so obviously need to tune out things based on your org. Hope it helps 

View solution in original post

3 REPLIES 3

L4 Transporter

Hi @FabioFerreira,

 

For BIOC and correlation rules first I would recommend to start looking at threats you've seen in the past that weren't properly blocked or reported according to your organization's SOPs.  Once that job has been handled sufficiently and your SOC team has matured I recommend looking outside of your organization and looking and new TTPs and threats that are being seen in the wild and build IOCs and correlations rules to match that activity.

 

I understand this may not be the information you're looking for, but no one outside of your organization is going to be able to tell you exactly what you need to be looking for.  Different threats are more prevalent in certain industries/verticals than others.  Also, everyone's team is at a different level of maturity.'

 

I hope this information helps.

Hi @anlynch 

 

Thank you for your reply.

Sorry if I was not clear.

We are already doing that and that information we don't need.

I totally agree when you say, "no one outside of your organization is going to be able to tell you exactly what you need to be looking for"

 

I was looking for something more generic.

Let me know if you or someone could suggest some generic XQL or BIOC rules that could help us leverage our defenses.

Sharing that kind of information will for sure help all community, I believe 🙂

 

Regards,

Fábio Ferreira

L0 Member

You can look into OSINT data bases like Sigma and analyze if it make sense to your organisation and the telemetry you are collecting and can work from there. Rules may be a bit noisy so obviously need to tune out things based on your org. Hope it helps 

  • 1 accepted solution
  • 2102 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!