apunkt/gomcp
1
0
Fork 0
mirror of https://github.com/syntrex-lab/gomcp.git synced 2026-04-25 12:26:22 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
gomcp/examples/soc_rules.yaml

38 lines
1.3 KiB
YAML
Raw Blame History

# Syntrex SOC Custom Correlation Rules (§7.5)
# Place this file at .rlm/soc_rules.yaml
# These rules are loaded on startup and merged with built-in rules.
rules:
# Detect API key spray attacks across multiple sensors.
- id: CUSTOM-001
name: API Key Spray Attack
required_categories: [auth_bypass, brute_force]
min_events: 5
time_window: 2m
severity: HIGH
kill_chain_phase: Reconnaissance
mitre_mapping: [T1110, T1110.001]
description: "5+ auth bypass or brute force events within 2 minutes indicates credential spray."
cross_sensor: true
# Detect prompt injection evolving into data exfiltration.
- id: CUSTOM-002
name: Injection-to-Exfil Pipeline
required_categories: [prompt_injection, exfiltration]
min_events: 2
time_window: 15m
severity: CRITICAL
kill_chain_phase: Exfiltration
mitre_mapping: [T1059.007, T1041]
description: "Prompt injection followed by exfiltration within 15 minutes — potential data theft pipeline."
# Detect model poisoning attempts.
- id: CUSTOM-003
name: Model Poisoning
required_categories: [data_poisoning, model_manipulation]
min_events: 3
time_window: 30m
severity: CRITICAL
kill_chain_phase: Impact
mitre_mapping: [T1565]
description: "Multiple data poisoning or model manipulation events — potential integrity attack."
Reference in a new issue View git blame Copy permalink