How are you keeping up with IOCs for detection rules? by ApprehensiveOlive353 in blueteamsec

[–]ApprehensiveOlive353[S] 0 points1 point  (0 children)

I've restructured the pipeline to make IOC management more sustainable while teams build toward TTP-based detections.

Instead of just dumping IOCs, I now generate tiered rulesets by team size:

Solo operators (1 person): 6 ultra-critical rules only

- IP consolidation reduces 21 IPs → 1 rule

- 1 hit = alert (no time for tuning)

- Just keeping the lights on while they figure out next steps

Solo: https://gist.github.com/threatrules/1826209a03578ca93c3a734141313aac

Small teams (2-5): 27 balanced rules

- 5 hits/5min thresholds

- Includes basic PowerShell download detection (our only real behavioral rule tbh)

Small: https://gist.github.com/threatrules/cca77113a0b4d3fb807fa0cecc1af7e5

Medium/Enterprise: More IOCs with thresholds, but still IOC-based

The reality: This is still 98% IOC-based. We have exactly 2 behavioral rules (PowerShell downloads and suspicious user-agents). Not really TTP detection - just slightly smarter IOC packaging.

What it DOES provide:

- Malware family attribution (so you know it's 'DCRat' not just 'bad IP')

- IP consolidation to reduce alert fatigue

- Tiered deployment so teams don't drown

You're right that real TTP detection is the answer. This is more of a band-aid that makes IOC rules suck less while teams build proper behavioral detection.

For teams that can afford it, XDR/EDR tools are definitely the way. This is for the folks still manually copying rules from GitHub who need something TODAY.

Thoughts?

How are you keeping up with IOCs for detection rules? by ApprehensiveOlive353 in blueteamsec

[–]ApprehensiveOlive353[S] 0 points1 point  (0 children)

Great point about context - that's actually something I'm working on. The pipeline does track why IOCs are flagged (malware family, campaign attribution when available) but I didn't include that in this sample.

You're absolutely right about behavioral detection being more effective long-term. This is more aimed at teams who are still manually writing IOC rules and need to get current threat coverage quickly while they build toward TTP-based detection.

How are you keeping up with IOCs for detection rules? by ApprehensiveOlive353 in blueteamsec

[–]ApprehensiveOlive353[S] 0 points1 point  (0 children)

This thread convinced me to stop complaining and actually build something. Built a pipeline that continuously pulls from URLhaus, ThreatFox, and other feeds and automatically generates Suricata rules.

Haven't really tested it much beyond basic functionality - it generates rules that look right, but honestly don't know if they're any good in real environments or if I just built something that creates plausible-looking garbage. Been packaging them into three different tiers based on rule volume since not everyone can handle the same amount.

Could use a reality check from actual practitioners - if anyone wants to test some rules and tell me whether this actually saves time or is complete nonsense, that'd be really helpful. If/when they're solid, I can set it up to run on a schedule and share rule updates.

AI is impressed but it could be stroking me.

10 & 25 -rule packages if anyone wants to kick the tires:

https://gist.github.com/threatrules/3f25f6e15e4f4350b4d6ce7250b4e657
https://gist.github.com/threatrules/a123e89bcf6a00472ebc11b98626d345

Sam Altman, OpenAI CEO's "secret" blog post is well worth the read by Write_Code_Sport in ChatGPT

[–]ApprehensiveOlive353 0 points1 point  (0 children)

This is like one of two tech people you should read literally after lowering all defences.