Correlation help #125
Unanswered
HBadger0017
asked this question in
Q&A
Correlation help
#125
Replies: 1 comment
-
|
@HBadger0017 As an aside, join us over in the Sigma Discord for easier discussion - https://discord.gg/kQQBn5W2z5 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hey team!
I am trying to get smarter on correlations for Sigma. However there are not a lot of examples to learn from.
Context:
I want to build a correlation to compare a host log with a network log. Pseudo-code: If network log = True and host log = True, return Hostname and Username.
Expanded pseudo-code: Check outbound rdp connections; if present, check host process_creation for plink; return hostname and username.
I want to combine the existing zeek/rdp and windows/process_creation rules into a single correlation.
Am I using correlations correctly for this case? (leaning towards event_count gte=1)
Am I overthinking this pseudo-code? Is there an easier way?
Thanks for any feedback.
Beta Was this translation helpful? Give feedback.
All reactions