This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Correlation rules and BIOCs

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Correlation rules and BIOCs

Go to solution
FabioFerreira
L2 Linker

‎05-24-2023 07:43 AM

Hi,

 

What correlation rules and BIOCs created manually do you suggest?

 

Regards,

Fábio Ferreira

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
AshokBabu
L0 Member

‎08-28-2023 03:37 AM

You can look into OSINT data bases like Sigma and analyze if it make sense to your organisation and the telemetry you are collecting and can work from there. Rules may be a bit noisy so obviously need to tune out things based on your org. Hope it helps 

View solution in original post

3 REPLIES 3

Go to solution
anlynch
L4 Transporter

‎05-24-2023 08:08 AM

Hi @FabioFerreira,

 

For BIOC and correlation rules first I would recommend to start looking at threats you've seen in the past that weren't properly blocked or reported according to your organization's SOPs.  Once that job has been handled sufficiently and your SOC team has matured I recommend looking outside of your organization and looking and new TTPs and threats that are being seen in the wild and build IOCs and correlations rules to match that activity.

 

I understand this may not be the information you're looking for, but no one outside of your organization is going to be able to tell you exactly what you need to be looking for.  Different threats are more prevalent in certain industries/verticals than others.  Also, everyone's team is at a different level of maturity.'

 

I hope this information helps.

Go to solution
FabioFerreira
L2 Linker
In response to anlynch

‎05-25-2023 05:40 AM

Hi @anlynch 

 

Thank you for your reply.

Sorry if I was not clear.

We are already doing that and that information we don't need.

I totally agree when you say, "no one outside of your organization is going to be able to tell you exactly what you need to be looking for"

 

I was looking for something more generic.

Let me know if you or someone could suggest some generic XQL or BIOC rules that could help us leverage our defenses.

Sharing that kind of information will for sure help all community, I believe 🙂

 

Regards,

Fábio Ferreira

0 Likes Likes

Go to solution
AshokBabu
L0 Member

‎08-28-2023 03:37 AM

You can look into OSINT data bases like Sigma and analyze if it make sense to your organisation and the telemetry you are collecting and can work from there. Rules may be a bit noisy so obviously need to tune out things based on your org. Hope it helps 

  • 1 accepted solution
  • 2007 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks