Security
Tips
Microsoft Sentinel
Ingestion Lag
| where ingestionTime > 5m Setting: Run query every 5m Lookup data from the last 24 hours Stop ...
Rule Sample
Log Analytics: Logs Rules Analytics OfficeActivity | where ingestion_time() > ago(5m) | where...
Union Alert
// The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran...
Splunk to Sentinel Logic
bin time doc | summarize initial_time = min(TimeGenerated), end_time = max(datetime_add("Second"...
Microsoft Security
Qradar
Ignore when another rule matches
When a building block or rule matches it's specific fields, do not fire matched events and NOT w...
Qradar expiring whitelist
Use AQL filter query username LIKE 'testUser' and LONG(DATEFORMAT(starttime, 'yyyyMMdd')) < 2...
Qradar global whitelist
Use Routing Rules with forwarding > bypass correlation For IP ranges, use Network Hierarchy.
Reference Maps
[http://www.siem.su/docs/ibm/Technical_remarks/Reference_Data_Collections_Technical_Note.pdf]
ArcSight
Splunk
Splunk Use Case tracker
| rest splunk_server=local count=0 /services/saved/searches | where disabled=0 | rename action.co...
Splunk total run time
(index=_audit host=* action=search sourcetype=audittrail search_id!="rsa_*") | eval user = if(us...
Splunk Drill Down Events
earliest=$initial_time$ latest=$end_time$ index=$index$ EventCode=4624 NOT Logon_Type IN ("5") ho...
Splunk Results Token
fieldsummary
LogRhythm
Mitre Framework
Cybersecurity Strategy
Security Topics and Theories.