anyone here tried creating a rule that was able to capture encryption in a host,
I would like to get some ideas on how you do it,
SIEM rule to detect encryption
+2
+4I think some more information is needed before a suggestion can be made. What log types are being sent from the host ? And what in those logs can help determine if encryption is present ? If we can answer this, a suitable rule can be created.
Hope this helps
+13- Bronze 5
As mentioned above, more information is needed. But at face value, if you know the encryption algorithm you can regex match an event for it.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.