sysmon
wazuh-ruleset
| sysmon | wazuh-ruleset | |
|---|---|---|
| 2 | 1 | |
| 55 | 319 | |
| - | - | |
| 1.8 | 4.7 | |
| almost 3 years ago | over 2 years ago | |
| Python | ||
| GNU General Public License v3.0 only | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sysmon
-
Help Me Understand This Level 12 Sysmon Rule
Alright, I'm in the process of setting up wazuh for my organization. It's been working well with the default alerts it comes with. I wanted to try ingesting and alerting on sysmon logs so I added sysmon to a test endpoint (an IT workstation), added the necessary lines to ossec.conf, and added the ruleset mentioned here to the wazuh manager (local_rules.xml). Seems to be working, I see sysmon logs in wazuh and am now being overwhelmed by this level 12 alert...
-
Wazuh or Wazuh and Graylog?
Wazuh can do a lot for you regarding Win events: - https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html - https://wazuh.com/blog/learn-to-detect-threats-on-windows-by-monitoring-sysmon-events/ - https://github.com/sametsazak/sysmon
wazuh-ruleset
-
Windows events alerts with Wazuh
In this repository https://github.com/wazuh/wazuh-ruleset you can find the decoders and rules that wazuh-manager has by default (all these files are being migrated to the repository wazuh/wazuh https://github.com/wazuh/wazuh).
What are some alternatives?
fim - FIM is an Open Source Host-based file integrity monitoring tool that performs file system analysis, file integrity checking, real time alerting and provides Audit daemon data.
sigma - Main Sigma Rule Repository
wazuh-dashboard-plugins - Plugins for Wazuh Dashboard
Fail2Ban - Daemon to ban hosts that cause multiple authentication errors
wazuh-documentation - Wazuh - Project documentation
openscap - NIST Certified SCAP 1.2 toolkit
wazuh-docker - Wazuh - Docker containers
openwisp-monitoring - Network monitoring system written in Python and Django, designed to be extensible, programmable, scalable and easy to use by end users: once the system is configured, monitoring checks, alerts and metric collection happens automatically.
loglizer - A machine learning toolkit for log-based anomaly detection [ISSRE'16]
Check-WP-CVE-2020-35489 - The (WordPress) website test script can be exploited for Unlimited File Upload via CVE-2020-35489
OSSEC - OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
RedELK - Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.