Our great sponsors
HELK | sigma | |
---|---|---|
10 | 41 | |
3,659 | 7,464 | |
- | 2.6% | |
0.0 | 9.9 | |
almost 3 years ago | 6 days ago | |
Jupyter Notebook | Python | |
GNU General Public License v3.0 only | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
HELK
-
Kali Linux 2023.1 introduces 'Purple' distro for defensive security
Utilizing that api and juniper notebooks is exactly why Hunting Elk is the way it from my understanding.
-
where to start learning about cyber defense for beginners
So you can actual do both defensive while practicing offensive. If you can set up a lab system with an attacker, for ease using kali, and defensive systems like a single windows box, or you can go balls to the wall if you have the resources and set up an AD environment and then ship all the logs to a SIEM system like Splunk or HELK (https://github.com/Cyb3rWard0g/HELK). Building off the environment you can also include Mordor (https://github.com/UraSecTeam/mordor)
-
Home Virtual SIEM Lab Suggestions?
HELK + Mordor combo https://github.com/Cyb3rWard0g/HELK
- Threat hunting Playbooks
-
SOC with machine learning
On a side note - I somehow have the feeling that you are trying to recreate https://github.com/Cyb3rWard0g/HELK
-
Elastic for security
You can find tools that leverage ELK that aren't necessarily plugins. SIEM looks like it has some free component to it, too: https://github.com/Cyb3rWard0g/HELK https://www.elastic.co/blog/elastic-siem-free-open
-
Home lab with security monitoring tools?
HELK can help for the SIEM and detection part
sigma
-
Looking for feedback on a security-related project idea
Idea: A free and open-source web repository of Sigma detections where users can find, contribute, and suggest edits to detections. All user contributions will go through a StackExchange-style moderation queue. Built-in conversion from Sigma to the query language of your choice.
-
How do you actually threat hunt?
Agreed in general. But with stuff like SIGMA, I'd lean towards stuff should going into git. Better version control, your docs can be markdown and live right next to your threat library, you can strap on CI/CD (so you can deploy/run stuff as part of a pipeline). Confluence is a great start, but it doesn't scale well.
-
Addressing OneNote malware
// Ported from https://github.com/SigmaHQ/sigma/blob/4921c96703cb60dcc54898d9a1f65f534ea7a844/rules/windows/file/file_event/file_event_win_one_extension_files_in_susp_locations.yml
-
Microsoft recommend Sysmon and EDR
True. Florian Roth keeps an updated fork https://github.com/Neo23x0/sysmon-config and also a huge detection rules repo https://github.com/SigmaHQ/sigma
-
Sigma rule that monitors suspicious file creations on Exchange servers by the IIS server process
sigma/file_event_win_exchange_webshell_drop_suspicious.yml at master · SigmaHQ/sigma · GitHub
-
Sigma Rules: How YAML Textual Signatures Boost SOC Efficiency
Basic Sigma taxonomy and schema know-how are essential to be able to write Sigma Rules. Since it is in YAML, learning how to write rules should not be that much of a challenge. For those who are new to Sigma, the official Sigma GitHub page should be a good starting point.
-
SOC analysts! looking for advise
Get started with alert data from AV, EDR, HIPS/IPS, Web Proxy. Florian Roth has some good cheat sheets for AV and Web Proxy that can be turned into detection rules of different severity. Otherwise, don’t reinvent the wheel, look at existing rules like sigma or others.
-
CVE-2022-26134 – Confluence Zero Day Remote Code Execution - live threat
Sigma - https://github.com/SigmaHQ/sigma/blob/master/rules/linux/builtin/lnx_shell_susp_commands.yml
-
Elastic for security
Try this instead: https://github.com/SigmaHQ/sigma
-
SIEM Test Cases
SIGMA SOCPrime Sigma Sigma Translator Elastic Rules Splunk Rules ThreatHunter Playbook iRedTeam Lolbas Atomic Red Team
What are some alternatives?
Wazuh - Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
sysmon-config - Sysmon configuration file template with default high-quality event tracing
atomic-red-team - Small and highly portable detection tests based on MITRE's ATT&CK.
wazuh-ruleset - Wazuh - Ruleset
velociraptor - Digging Deeper....
OpenSIEM-Logstash-Parsing - SIEM Logstash parsing for more than hundred technologies
pfelk - pfSense/OPNsense + Elastic Stack
DetectionLab - Automate the creation of a lab environment complete with security tooling and logging best practices
detection-rules - Rules for Elastic Security's detection engine
docker-elk - The Elastic stack (ELK) powered by Docker and Compose.
PrintNightmare
CVE-2021-1675 - CVE-2021-1675 Detection Info