This is an attempt to implement a research paper that I found via a twitter post some time in mid 2016. The premise is that based on research into Intrusion detection certain events can be chained together that might indicate an intrusion. This paper also attempts to use these scenarios to reduce the impact of noisy (common) windows events that might otherwise drown out the indication of an attacker.
So here goes my attempt at creating a number of ESA rules that map out these intrusion patterns.
THese have not been tested in a production environment and would like the community help in testing and validating the rules and the research.
There are more elaborate ways of writing the rule language but for the moment this is how I chose to write them for testing.
If you choose you test these rules please look into the stats on the rules to see how much memory they consume (curious to see how they fare in the performance department as some of the starting events are very rare).
There are two configuration files that will need to be updated which are included in the zip archive below.
As always, let me know how these rules perform and how they can be improved.