SIGMA-detection-rules
chainsaw
Our great sponsors
SIGMA-detection-rules | chainsaw | |
---|---|---|
2 | 13 | |
266 | 2,547 | |
- | 3.7% | |
6.4 | 8.3 | |
about 2 months ago | 13 days ago | |
Rust | ||
Creative Commons Zero v1.0 Universal | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
SIGMA-detection-rules
-
should we write our own custom rule
I am currently employed as a cyber analyst, and we've recently implemented an Endpoint Detection and Response (EDR) system. Upon closer inspection, I've observed that numerous events are not being flagged as alerts. This raises a crucial question: should I take the initiative to create custom rules to ensure these events are brought to our attention, or should I rely solely on the EDR's intrinsic capabilities to detect and classify threats? As a potential solution, I'm contemplating the implementation of rules based on Sigma, such as those available at the following repository: here. Your insights and experiences on the effectiveness of this approach would be greatly appreciated. Thank you for your time and assistance.
-
Installed Graylog. 7 million log entries per month. Now what?
Depending on whether this is up your alley either look for a MSSP/MDR/Managed BlaBla provider or head on to - https://github.com/splunk/security_content - https://www.elastic.co/guide/en/security/current/prebuilt-rules.html - https://github.com/mdecrevoisier/SIGMA-detection-rules - https://github.com/Azure/Azure-Sentinel to get an idea of what to look for. MITRE ATT&CK and the related DETT&CT should serve as an additional eye opener. Ah yes - forgot the bible on log management from Anton Chuvakin in the above list.
chainsaw
- Agent event queue is flooded. Check the agent configuration
- What's your favorite cybersecurity tool?
-
Tools for "static" log analysis
https://github.com/WithSecureLabs/chainsaw if you're just looking for bad stuff.
- Chainsaw v2.0 Release - Hunt and Search Through Windows Event Logs
- Chainsaw v2.0.0 - Rapidly Search and Hunt through Windows Event Logs
- Chainsaw 2.0: Allows users to rapidly search through Windows event logs and hunt for threats using Sigma detection rules.
-
EvtxHussar 1.0
Differences between this and Chainsaw? Chainsaw
- IR log Collection/Parsing Recommendations
-
AMA : I’m a cybersecurity engineer at Microsoft .
Use Chainsaw for event logs https://github.com/countercept/chainsaw
- GitHub - countercept/chainsaw: Rapidly Search and Hunt through Windows Event Logs
What are some alternatives?
EVTX-to-MITRE-Attack - Set of EVTX samples (>270) mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.
EvtxHussar - Initial triage of Windows Event logs
Azure-Sentinel - Cloud-native SIEM for intelligent security analytics for your entire enterprise.
hayabusa - Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
security_content - Splunk Security Content
zff-rs - Library to handle the files in zff format (file format to store and handle forensic acquisitions).
WELA - WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! ゑ羅(ウェラ)
Wazuh - Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
EnableWindowsLogSettings - Documentation and scripts to properly enable Windows event logs.
Purpleteam - Purpleteam scripts simulation & Detection - trigger events for SOC detections
lnav - Log file navigator