SIEM open rules

Hey there, how are ur?

I'm posting here some rules I made for detecting communications with botnets, command and control (C2), VNC scanners, SSH, MySQL, RDP, DNS, Telnet, HTTP, TFTP. Using honeypots, blacklists, IP rank status, etc. as a base.

The rules were made by me and anyone is allowed to edit them. I'm posting here to help those who don't understand so much about Elastic SIEM or query languages.

The rules were updated today (08/09/2021), but I will try to keep this topic as updated as possible with more rules going forward and always adding new IPs.

It is noteworthy that the rules in question only identify IPs (filebeat, packetbeat, etc). More focused on firewall and proxy logs.

Observation: If u have any problems uploading the rule to your SIEM, change the rule lines where it contains the line below, to the address of your kibana.

It looks like this: {"from":"1m","kibana_siem_app_url":"YOUR-IP-OR-URL-KIBANA/app/security"}

Change it to something like this: {"from":"1m","kibana_siem_app_url":"https://mykibana.com:5601/app/security"}

My repository with rules: https://github.com/wallacepalace/rules-siem-elastic

Hope this helps!

1 Like

Thanks for sharing. A few questions/thoughts -

  • Where are you sourcing your IP's for triggering rules?
  • Looks like your elastic instance address is in these rules. Not sure if you want to share that out or not.
  • Have you considered writing your rules in SIGMA format?
1 Like

Hey there, how are u?

I changed the AWS instance address, thanks! It was a test instance, but I changed it to "YOUR-IP-OR-URL-KIBANA", thanks for letting me know!

I find OSINT based IPs, I work with threat intelligence, so I find these low trust IPs myself and create rules on top of them.

Okay, I'll transcribe the rules to Sigma format too, so everyone can transport the rules to multiple SIEMs.

Thanks!