Detection engineering enterprise
Reglas unificadas XDR/EDR
Consola unica para reglas de deteccion, Custom IOA, politicas ML/behavioral, IOC rules, Fusion workflows y hunting queries convertibles en controles persistentes.
Inventario tecnico unificado
3 reglas enterprise configuradas
| Regla | Tipo | Accion | Severidad | Host groups | Sensibilidad | Acciones |
|---|---|---|---|---|---|---|
| Custom IOA - Bloquear PowerShell codificado | custom_ioa | alert_and_block | high | workstations, users-standard | 90% |
Ver Editar |
| Policy - Servidores criticos ML agresivo | prevention_policy | block | critical | servers-critical, domain-controllers, database | 96% |
Ver Editar |
| IOC - Bloqueo rapido de campaña activa | ioc_rule | alert_and_block | high | all-endpoints | 87% |
Ver Editar |
Modificar regla
Policy - Servidores criticos ML agresivo
prevention_policy
Policy - Servidores criticos ML agresivo
block · enabled · critical
T1003T1021T1068
1. Custom IOA
Comportamiento a la medida
Eventos
ml_detection, behavioral_detection, exploit_attempt
Procesos
sqlcmd.exe, psexec.exe, wmic.exe, rundll32.exe
Argumentos
credential dump, remote service creation, suspicious memory operation
Rutas/Registro
Run, RunOnce, Services
2. Policies + ML Behavioral
Motores internos
Machine Learning
95%
Behavioral Analysis
94%
Exploit Prevention
92%
3. Indicators / IOC Rules
Hash, dominio e IP
Hashes
N/A
Dominios
N/A
IPs
N/A
FP controls
maintenance window, approved DBA jump host
4. Fusion Workflow
Orquestacion
Triggers
new_critical_detection
Condiciones
asset_criticality=critical
Acciones
isolate_host
assign_incident_commander
collect_forensics
5. Event Search / Threat Hunting
Regla no persistente convertible
event_platform=Win AND (Technique=T1003 OR Technique=T1021) AND critical_asset=true