Several types of rules

IBM QRadar Security Information and Event Management (SIEM) is a comprehensive solution that provides advanced threat detection, intelligence, and security orchestration capabilities. Using QRadar, you can set up a variety of rules to detect, alert, and respond to security threats and non-compliance issues in real-time. Here are three examples for each of the types of rules you can set up in QRadar SIEM:

1. Anomaly Detection Rules:

   • Alert when a user logs in from two different geographical locations within a short period.

   • Alert when there's an unexpected spike in outbound traffic.

   • Alert when a service or application that doesn't usually access sensitive data suddenly starts accessing it.

2. Flow-Based Rules:

   • Alert when a significant amount of data is transferred to an external IP address.

   • Alert when a known secure port (e.g., 443 for HTTPS) is used to transmit non-encrypted data.

   • Alert when there's an unusual amount of traffic to known cloud storage sites.

3. Log-Based Rules:

   • Alert on multiple failed login attempts for a critical system within 5 minutes.

   • Alert when a new admin account is created outside business hours.

   • Alert when a system or application logs a critical error multiple times in a short period.

4. Offense Rules:

   • Alert when there's a sequence of a successful login after multiple failed attempts.

   • Alert on repeated attempts to access a secure file or database, followed by a sudden data transfer.

   • Alert when firewall "deny" events spike in conjunction with an increase in email activity.

5. Threat Intelligence Rules:

   • Alert on any communication with an IP address listed in a threat intelligence feed.

   • Alert when a known malicious URL is accessed.

   • Alert on downloads from a domain recently flagged as hosting malware.

6. Geographical Activity Rules:

   • Alert on login attempts from countries where the company has no business operations.

   • Alert when a user who typically accesses systems from one country suddenly logs in from another.

   • Alert on data transfers to a high-risk jurisdiction.

7. Time-Based Rules:

   • Alert on administrator account activity outside of regular business hours.

   • Alert when systems are rebooted or shut down unexpectedly during peak usage hours.

   • Alert when a high volume of files is accessed late at night.

8. Data Matching Rules:

   • Alert when patterns matching credit card numbers are detected in outbound traffic.

   • Alert when patterns resembling Social Security numbers are uploaded to cloud storage.

   • Alert when patterns of proprietary code or intellectual property are transmitted via email.

9. Application Rules:

   • Alert when an unauthorized cloud-based storage application is installed on a company system.

   • Alert when a sensitive application, like a finance tool, is accessed from an unregistered device.

   • Alert when there's an unusual amount of data transfer from a CRM tool.

10. Correlation Rules:

• Alert when a user accesses sensitive company data, followed by a spike in external email activity.

• Alert when a series of security events occur in a pattern indicating a multi-stage attack (e.g., reconnaissance, lateral movement, data exfiltration).

• Alert on the combination of a detected malware download followed by a spike in network traffic.

11. Behavioral Rules:

• Alert when a user suddenly starts accessing systems or data they've never accessed before.

• Alert when there's a significant deviation from the baseline in terms of data upload or download.

• Alert when a normally inactive account starts showing activity.

12. Compliance Rules:

• Alert on any unencrypted Personal Identifiable Information (PII) data transfers for GDPR compliance.

• Alert when credit card data is accessed from a non-PCI compliant system.

• Alert when health records are transmitted outside a secure network, potentially violating HIPAA.

13. Custom Rules (specific to an organization's unique requirements):

• Alert when an employee from the marketing department accesses the finance department's servers.

• Alert on login activity to a proprietary application during a company-wide mandated downtime.

• Alert when there's access to a restricted research and development project by anyone outside the core team.

Each of these examples could be refined and further tuned based on the organization's unique environment and requirements.