6. Reviewing and Enabling Sigma Rules

Once the sysmon data is collected, go to "Rules & Policies" -> "SIGMA/YARA Rules" -> "SIGMA Rules". Click on the three dots left side of the grid, select "Enable All Rules Displayed" and then select "Force Run All Rules Displayed". It is recommended to enable the rules after one day of sysmon collection.

Go to "Threat Hunting" -> "Hunting Settings" -> "Asset & Threat Analysis Settings" -> "Threat Detection Rules Run Interval (Hour)". Users can change the run interval and edit the next run time. Be sure to click the save button after editing.

Previous5. Review The Results & White Listing Next7. Generating Reports

Last updated 5 months ago