HELK
Microsoft-365-Defender-Hunting-Queries
Our great sponsors
| HELK | Microsoft-365-Defender-Hunting-Queries | |
|---|---|---|
| 10 | 14 | |
| 3,659 | 1,408 | |
| - | - | |
| 0.0 | 9.0 | |
| almost 3 years ago | about 2 years ago | |
| Jupyter Notebook | Jupyter Notebook | |
| GNU General Public License v3.0 only | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
HELK
-
Kali Linux 2023.1 introduces 'Purple' distro for defensive security
Utilizing that api and juniper notebooks is exactly why Hunting Elk is the way it from my understanding.
-
where to start learning about cyber defense for beginners
So you can actual do both defensive while practicing offensive. If you can set up a lab system with an attacker, for ease using kali, and defensive systems like a single windows box, or you can go balls to the wall if you have the resources and set up an AD environment and then ship all the logs to a SIEM system like Splunk or HELK (https://github.com/Cyb3rWard0g/HELK). Building off the environment you can also include Mordor (https://github.com/UraSecTeam/mordor)
-
Home Virtual SIEM Lab Suggestions?
HELK + Mordor combo https://github.com/Cyb3rWard0g/HELK
- Threat hunting Playbooks
-
SOC with machine learning
On a side note - I somehow have the feeling that you are trying to recreate https://github.com/Cyb3rWard0g/HELK
- Suggestion for Easy to use and affordable cost SIEM solution
- Build a SOC LAB
-
Elastic for security
You can find tools that leverage ELK that aren't necessarily plugins. SIEM looks like it has some free component to it, too: https://github.com/Cyb3rWard0g/HELK https://www.elastic.co/blog/elastic-siem-free-open
-
Home lab with security monitoring tools?
HELK can help for the SIEM and detection part
-
Blue team projects
MISP is a Threat Intelligence Platform (TIP), not a hunting platform. That would be something like HELK
Microsoft-365-Defender-Hunting-Queries
-
Smartscreen reports
There are few smart screen reports under “Protection Events” folder. All this is already in the Security Center portal but you can find some better description here https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
- Defender Advance Hunting
- Must have analytic rules
- New user question - Hunting cookbook?
- Advance Threat Hunting 101
-
How to monitor for ransomware attacks?
This github repo has a variety of hunting rules: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
-
The Kusto Query Language
I always find myself going back to my colleague Michael's Tracking the Adversary 4 part webcast where it takes you from 100 to 400 level in the context of threat hunting: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Webcasts/TrackingTheAdversary
- Joining FileEvents to Process events
-
Detecting/blocking malicious IPs
I use a KQL query from https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries. Look in the Discovery section and try the DetectTorRelayConnectivity query. I've then created a custom detection rule to pick up instances of the alert.
- Advanced Hunting Query for SAM DB Access
What are some alternatives?
pfelk - pfSense/OPNsense + Elastic Stack
security-onion - Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management
DetectionLab - Automate the creation of a lab environment complete with security tooling and logging best practices
Azure-Sentinel - Cloud-native SIEM for intelligent security analytics for your entire enterprise.
docker-elk - The Elastic stack (ELK) powered by Docker and Compose.
h4cker - This repository is primarily maintained by Omar Santos (@santosomar) and includes thousands of resources related to ethical hacking, bug bounties, digital forensics and incident response (DFIR), artificial intelligence security, vulnerability research, exploit development, reverse engineering, and more.
RedELK - Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
Hunting-Queries-Detection-Rules - KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.
praeco - Elasticsearch alerting made simple.
Sentinel-Queries - Collection of KQL queries
jupyter2kibana - A Workflow for Data Scientists to bring Jupyter Notebook Visualizations to Kibana Dashboards
hid-examples - Examples to accompany the book "Haskell in Depth"