suleymanhummetli/Qradar-detection-rules
GitHub: suleymanhummetli/Qradar-detection-rules
以 GitHub 为单一真相源,提供预构建的 QRadar 检测规则并通过 CI/CD 自动同步部署到 QRadar SIEM 的企业级规则管理框架。
Stars: 0 | Forks: 0
# 🛡️ SIEM 检测规则 — QRadar
## 📁 仓库结构
```
siem-detection-rules/
├── qradar/
│ └── rules/ # QRadar detection rules (JSON)
│ ├── QR-001_brute_force_detection.json
│ ├── QR-002_pass_the_hash.json
│ ├── QR-003_dns_tunneling.json
│ ├── QR-004_ransomware_detection.json
│ ├── QR-005_kerberoasting.json
│ ├── QR-006_data_exfiltration.json
│ ├── QR-007_powershell_c2.json
│ ├── QR-008_impossible_travel.json
│ ├── QR-009_port_scan_detection.json
│ └── QR-010_dcsync_attack.json
├── scripts/
│ └── qradar_github_sync.py # GitHub → QRadar sync script
└── .github/
└── workflows/
└── qradar_sync.yml # CI/CD automation pipeline
```
## 🔟 QRadar 检测规则
| 规则 ID | 名称 | MITRE | 严重性 |
|---------|------|-------|----------|
| QR-001 | 暴力破解认证攻击 | T1110 | HIGH |
| QR-002 | Pass-the-Hash 横向移动 | T1550.002 | CRITICAL |
| QR-003 | DNS 隧道 / 通过 DNS 的 C2 通信 | T1071.004 | HIGH |
| QR-004 | 勒索软件行为检测 | T1486 | CRITICAL |
| QR-005 | Kerberoasting 攻击 | T1558.003 | HIGH |
| QR-006 | 通过大文件上传进行数据外发 | T1048 | HIGH |
| QR-007 | 恶意 PowerShell / C2 通信 | T1059.001 | CRITICAL |
| QR-008 | 不可能旅行检测 | T1078 | HIGH |
| QR-009 | 端口扫描 / 网络侦察 | T1046 | MEDIUM |
| QR-010 | DCSync 攻击 | T1003.006 | CRITICAL |
## 🚀 快速开始 — GitHub 集成
### 1. 克隆仓库
```
git clone https://github.com/YOUR_USERNAME/siem-detection-rules.git
cd siem-detection-rules
```
### 2. 配置 GitHub Secrets
进入 GitHub 仓库的 **Settings → Secrets and variables → Actions** 部分:
| Secret 名称 | 值 |
|-------------|-------|
| `QRADAR_HOST` | `https://your-qradar-ip` |
| `QRADAR_API_TOKEN` | QRadar API token (Admin → Authorized Services) |
### 3. 获取 QRadar API Token
```
QRadar UI → Admin → Authorized Services → Add Authorized Service
Permission Level: Admin
Token-u kopyalayın → GitHub Secret olaraq əlavə edin
```
### 4. 手动同步(本地)
```
pip install requests
export QRADAR_HOST="https://your-qradar-ip"
export QRADAR_API_TOKEN="your-token"
export GITHUB_TOKEN="your-github-pat"
export GITHUB_REPO_OWNER="your-username"
export GITHUB_REPO_NAME="siem-detection-rules"
export GITHUB_RULES_PATH="qradar/rules"
export GITHUB_BRANCH="main"
# Validate 规则
python scripts/qradar_github_sync.py --validate
# Deploy 所有规则
python scripts/qradar_github_sync.py --deploy
# 仅更新已更改的规则
python scripts/qradar_github_sync.py --update
# 列出 QRadar 规则
python scripts/qradar_github_sync.py --list
```
## 🔄 自动化 CI/CD 流程
```
Developer edits rule in GitHub
│
▼
Pull Request açılır
│
▼
✅ Validate Job (JSON schema check)
│
▼
PR merge to main
│
▼
🔵 Dry Run preview
│
▼
🚀 Deploy to QRadar via REST API
│
▼
📄 Sync log saved as artifact
```
## ✏️ 更新规则
**请始终在 GitHub 上更新,切勿直接在 QRadar 中修改!**
```
# 1. 打开 Branch
git checkout -b update/QR-004-ransomware-threshold
# 2. 编辑 Rule JSON 文件
nano qradar/rules/QR-004_ransomware_detection.json
# 3. Commit 和 push
git add .
git commit -m "feat(QR-004): increase file modification threshold to 300"
git push origin update/QR-004-ransomware-threshold
# 4. 打开 PR → review → merge
# GitHub Actions 将自动 deploy 到 QRadar
```
## 📋 规则 JSON Schema
```
{
"rule_id": "QR-XXX", // Unique rule identifier
"name": "Human-readable name",
"description": "Detailed description",
"mitre_technique": "TXXXX.XXX", // MITRE ATT&CK ID
"severity": "CRITICAL|HIGH|MEDIUM|LOW",
"offense_type": "Category string",
"aql_search_query": "SELECT ... FROM events WHERE ...",
"rule_conditions": { ... }, // CRE conditions
"offense_annotation": "Template with %variables%",
"response_actions": ["Action 1", "Action 2"],
"sigma_reference": "https://github.com/SigmaHQ/...",
"enabled": true,
"version": "1.0"
}
```
## 📞 支持
Issues: [GitHub Issues](../../issues)
MITRE ATT&CK: [attack.mitre.org](https://attack.mitre.org)
Sigma 规则: [github.com/SigmaHQ/sigma](https://github.com/SigmaHQ/sigma)
QRadar API 文档: [IBM Security Docs](https://ibmsecuritydocs.github.io/qradar_api_13.1/)
标签:AMSI绕过, C2通信, DCSync攻击, DevSecOps, DNS隧道, GitHub Actions, Homebrew安装, IPv6, Kerberoasting攻击, OpenCanary, PB级数据处理, PoC, PowerShell, QRadar, SOC分析与响应, 上游代理, 企业安全, 传递哈希, 勒索软件, 威胁检测, 安全仓库同步, 安全剧本, 安全可观测性, 安全运维, 开源安全项目, 异常登录, 插件系统, 数据渗出, 数据统计, 暴力破解, 检测规则, 横向移动, 版本控制, 端口扫描, 编程规范, 网络攻击防御, 网络资产发现, 网络资产管理, 自动笔记, 逆向工具