Thank you for your post. We may not be able to recommend tailored suggestions for your organization as we leave that to administration of each organization by providing them documentation on the capabilities of these rules and they are to be tested on each organization to validate if it generates false positives, how it can be fine tuned, etc. However, we have the below documentation that talks about some important signatures to be enabled and fine tuning of our product:
I sincerely hope this helps!
I would suggest these at a minimum.
6195 (for servers)
Do you have ATP deployed? There are several JTI rules I might suggest as well..
Now I'll first qualify this by saying ATP needs to be set to clean at "Most LIkely Malicious" to really benefit from this. You might want to run some test systems in observe mode for tuning, and maybe point them to "Productivity" or "Security" if you don't use those policy sets, and tune them to match "Balanced" in your target configuration.
Starting with the newest ones.
517 - If you have a TIE server, use it to trust, otherwise exclude false-positive processes with OAS exclusions. This one will stop CobaltStrike in most cases.
514 - might be noisy though. Strongly recommend a TIE server.
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership: