I think there could be a place for sharing alerts. I also like the idea of sharing queries. Of course, all sanitized and generalized to protect private information, but I agree that there is value in sharing some of these. Of course a big issue is not everyone has the same logs coming into their IDR so there may need to be a format showing the alert, what logs it may work with, what type of events (ie. active directory, DNS, etc.)
I like that queries can be so simple and then used in an alert. FOr example these are some of mine and they are pretty generic. I run these with several logs selected, of course, you may or may not have the same logs. I use my DNS logs, Asset authentication, file modfification, raw and unparsed. Now they have EET which really helps.
where(“A member was removed from a security-enabled” AND “group”) *AD accountability
where(kali AND download) *only I should download this
where(printer AND OUTBOUND) *why should a printer talk to the outside?
Here is a crazy one looking for suspicious PS commands:
where(add-exfiltration OR add-persistence OR add-scrnsavebackdoor OR base64.b64decode OR base64tostring OR check-vm OR chocolatey.org OR copy-vss OR create-multiplesessions OR discover-psinterestingservices OR discover-psmsexchangeservers OR discover-psmssqlservers OR dllinjection OR do-exfiltration OR download-execute-ps OR downloadstring OR enable-duplicatetoken OR encodedcommand OR execute-command-mssql OR execute-dnstxt-code OR execute-ontime OR exploittable OR extract-wifi-creds OR find-allvulns OR find-avsignature OR find-ms OR find-ms13081 OR find-psserviceaccounts OR frombase64string OR )