Correlation help #125
Unanswered
HBadger0017
asked this question in
Q&A
Correlation help
#125
Replies: 1 comment
-
|
@HBadger0017 As an aside, join us over in the Sigma Discord for easier discussion - https://discord.gg/kQQBn5W2z5 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hey team!
I am trying to get smarter on correlations for Sigma. However there are not a lot of examples to learn from.
Context:
I want to build a correlation to compare a host log with a network log. Pseudo-code: If network log = True and host log = True, return Hostname and Username.
Expanded pseudo-code: Check outbound rdp connections; if present, check host process_creation for plink; return hostname and username.
I want to combine the existing zeek/rdp and windows/process_creation rules into a single correlation.
Am I using correlations correctly for this case? (leaning towards event_count gte=1)
Am I overthinking this pseudo-code? Is there an easier way?
Thanks for any feedback.
Beta Was this translation helpful? Give feedback.
All reactions