NetSIEM — Network Security Information & Event Management

Total Rules

Active Rules

Disabled Rules

High FP Rate (>30%)

Rule ID	Name	Type	Severity	Condition	Log Source	Last Triggered	Triggers (7d)	FP Rate	MITRE	Suppression	Actions
RULE-001	SSH Brute Force Detection	Threshold	Critical	>50 failed SSH auths in 60s from same src IP	syslog/auth	07:18:29	47	4.2%	T1110	5 min	Edit rule Delete rule — cannot be undone
RULE-002	SQL Injection Pattern Match	Signature	High	HTTP request body matches SQLI regex patterns	waf/access	07:17:44	312	12.8%	T1190	1 min	Edit rule Delete rule — cannot be undone
RULE-003	C2 Beacon Periodic Traffic	Behavioral	Critical	Outbound connection to threat intel IOC with <30s jitter	netflow/egress	07:04:12	8	1.1%	T1071	0	Edit rule Delete rule — cannot be undone
RULE-004	DNS Tunneling Entropy	Anomaly	Critical	DNS query entropy >4.5 bits/char over 100 queries	dns/queries	05:54:33	3	2.3%	T1048	10 min	Edit rule Delete rule — cannot be undone
RULE-005	Lateral Movement — SMB	Behavioral	Critical	SMB connections to >5 internal hosts in 120s	netflow/internal	06:31:09	12	8.4%	T1021	2 min	Edit rule Delete rule — cannot be undone
RULE-006	RDP Brute Force	Threshold	High	>20 failed RDP auths in 30s	windows/security	04:12:08	28	6.7%	T1133	5 min	Edit rule Delete rule — cannot be undone
RULE-007	Port Scan Detection	Threshold	Medium	Single src IP contacts >30 dst ports in 60s	netflow/all	07:18:14	189	22.1%	T1046	15 min	Edit rule Delete rule — cannot be undone
RULE-008	XSS Payload in HTTP	Signature	Medium	HTTP param contains <script> or JS event handlers	waf/access	07:17:31	421	31.4%	T1059	1 min	Edit rule Delete rule — cannot be undone
RULE-009	Privilege Escalation — Linux	Signature	High	sudo/su followed by setuid binary execution	auditd/syscall	2026-03-15 18:11	7	15.2%	T1068	0	Edit rule Delete rule — cannot be undone
RULE-010	Large Data Transfer Outbound	Anomaly	High	Outbound transfer >500MB to non-whitelisted IP in 1h	netflow/egress	2026-03-15 14:50	4	25.0%	T1048	30 min	Edit rule Delete rule — cannot be undone
RULE-011	Failed Auth Spike — Any Service	Threshold	Medium	>100 auth failures across any service in 5 min	syslog/auth	2026-03-14 09:22	0	38.9%	T1110	10 min	Edit rule Delete rule — cannot be undone
RULE-012	New Admin Account Created	Signature	Medium	useradd/net user with admin group membership	auditd/syscall	2026-03-15 11:33	2	50.0%	T1136	0	Edit rule Delete rule — cannot be undone
RULE-013	DoS Traffic Volume	Threshold	Medium	Inbound PPS >100k/s from single source	netflow/ingress	2026-03-15 14:22	1	0.0%	T1499	5 min	Edit rule Delete rule — cannot be undone
RULE-014	Tor Exit Node Traffic	Signature	High	Src IP matches Tor exit node blocklist	netflow/ingress	07:18:29	234	3.8%	T1090	0	Edit rule Delete rule — cannot be undone
RULE-015	Anomalous Login Hours	Anomaly	Low	Successful login between 00:00–05:00 local for user	syslog/auth	2026-03-13 02:14	0	61.2%	T1078	0	Edit rule Delete rule — cannot be undone
RULE-016	SMTP Relay Abuse	Threshold	Medium	>500 outbound SMTP messages in 1h from single host	smtp/logs	2026-03-15 16:44	3	10.5%	T1566	30 min	Edit rule Delete rule — cannot be undone
RULE-017	Crypto Miner Process	Signature	High	Process name or cmdline matches known miner signatures	auditd/process	2026-03-14 22:17	1	5.0%	T1496	0	Edit rule Delete rule — cannot be undone
RULE-018	Beaconing Interval Analysis	Behavioral	High	Periodic outbound connections with <15% jitter over 1h	netflow/egress	2026-03-15 23:48	6	18.3%	T1071	0	Edit rule Delete rule — cannot be undone
RULE-019	Log Source Silence Alert	Threshold	Critical	No events from critical log source for >5 min	system/health	2026-03-15 08:12	2	0.0%	T1562	0	Edit rule Delete rule — cannot be undone
RULE-020	Reverse Shell Pattern	Signature	Critical	Network connection from shell process (bash/sh/cmd) outbound	auditd/network	2026-03-15 19:33	4	7.5%	T1059	0	Edit rule Delete rule — cannot be undone

20 rules shown