Correlation Rule Library
This repository contains a comprehensive set of rules designed to enhance your organization's security by detecting various types of suspicious activities and potential threats. Each rule is categorized for ease of navigation and to facilitate a structured approach to threat detection. By leveraging the rules in this library, you can significantly improve your ability to detect and respond to security incidents, ensuring more robust defenses against a wide range of cyberthreats.
Attacker Tool
These rules detect the presence and usage of known attacker tools.
Suspicious Process
These rules identify suspicious processes that may indicate malicious activity.
Suspicious Parent Process
These rules detect suspicious parent-child process relationships to identify potential attacks.
Suspicious Child Process
These rules identify suspicious child processes spawned from specific parent processes to detect potential malware.
Living Off The Land Attack
These rules detect unusual use of system tools like PowerShell and WMI to identify hidden attacks.