CVE-2021-34527 (CVE-2021-1675) PrintNightmare – Detection by SIEM Guide


Overview The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. (Source: Guide to detect by SIEM: GPO: Verify the Event logs are enabled: Microsoft-Windows-SMBClient/Security Microsoft-Windows-PrintService/Admin Microsoft-Windows-PrintService/Operational WEF: Configure the WEF subscription […]

CVE-2020-16898 – Bad Neighbor – Monitoring By SIEM

eve-2020-16898 bad neighbour Siem content

CVE-2020-16898 – Bad Neighbor SIEM Content Packages A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. An attacker would have to send specially crafted ICMPv6 Router Advertisement […]

CVE-2019-0708 – BlueKeep – Monitoring By SIEM

eve-2019-0708 blue keep Siem content

CVE-2019-0708 BlueKeep – SIEM Content Packages Bluekeep is a critical vulnerability that allows an attacker to send malicious packets to a vulnerable target over RDP and remotely execute commands with elevated privileges. The vulnerability occurs during pre-authorization and does not require any user interaction, which makes it really critical. This vulnerability will affect these OS […]

CVE-2020-1350 – SigRed – Monitoring By SIEM

SIEM Content Packages For CVE-2020-1350 – SigRed By CyberSIEM “SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, […]

CVE-2020-1472 – ZeroLogon – Monitoring by SIEM

SIEM Content Packages For CVE-2020-1472 – ZeroLogon By CyberSIEM As you know, one of the most critical vulnerabilities has recently been published – ZeroLogon An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege […]

Active List With Dynamic TTL

Active List With Dynamic TTL

The CyberSIEM team has developed a tool that makes taking care of these exclusions as simple as creating an Active List.

ArcSight Rule Action – Telegram Message

ArcSight Rule Action - Telegram Message

Any conversation with the bot has a unique Chat ID, the bot will need this ID to know where to send the message. Of course, you can use the same bot for a few conversations, and send different alerts to each group.

Rules based on aggregate SUM

Rules based on aggregate SUM

How to create a data monitor which will collect the information from the last X time, and sum the quantity and create a rule that use the audit events of the Data Monitor to check if the value is more than a specific threshold.