security-onion
Microsoft-365-Defender-Hunting-Queries
Our great sponsors
security-onion | Microsoft-365-Defender-Hunting-Queries | |
---|---|---|
3 | 14 | |
2,900 | 1,408 | |
- | - | |
3.9 | 9.0 | |
about 3 years ago | about 2 years ago | |
Jupyter Notebook | ||
- | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
security-onion
-
Just a student who wants to start a carrier in Forensic or pentest
https://github.com/Security-Onion-Solutions/security-onion for play with blue team tools
- FOSS SIEM for homelabs?
-
Application monitoring?
Otherwise, it sounds like a case for SIEM but that can be a huge undertaking. As a trial you could setup a Security Onion Import Node, capture some traffic to a pcap file (via a monitor port and Wireshark etc. or some routers do this natively) and see what it gives you. I have to warn you though, it can be quite overwhelming and is the opening to an immense rabbithole. Godspeed
Microsoft-365-Defender-Hunting-Queries
-
Smartscreen reports
There are few smart screen reports under “Protection Events” folder. All this is already in the Security Center portal but you can find some better description here https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
- Defender Advance Hunting
- Must have analytic rules
- New user question - Hunting cookbook?
- Advance Threat Hunting 101
-
How to monitor for ransomware attacks?
This github repo has a variety of hunting rules: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
-
The Kusto Query Language
I always find myself going back to my colleague Michael's Tracking the Adversary 4 part webcast where it takes you from 100 to 400 level in the context of threat hunting: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Webcasts/TrackingTheAdversary
- Joining FileEvents to Process events
-
Detecting/blocking malicious IPs
I use a KQL query from https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries. Look in the Discovery section and try the DetectTorRelayConnectivity query. I've then created a custom detection rule to pick up instances of the alert.
- Advanced Hunting Query for SAM DB Access
What are some alternatives?
Wazuh - Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
Azure-Sentinel - Cloud-native SIEM for intelligent security analytics for your entire enterprise.
DetectionLab - Automate the creation of a lab environment complete with security tooling and logging best practices
h4cker - This repository is primarily maintained by Omar Santos (@santosomar) and includes thousands of resources related to ethical hacking, bug bounties, digital forensics and incident response (DFIR), artificial intelligence security, vulnerability research, exploit development, reverse engineering, and more.
Sending your docker logs - Sending logs from docker containers to Logit.io
HELK - The Hunting ELK
cyberchef-recipes - A list of cyber-chef recipes and curated links
Hunting-Queries-Detection-Rules - KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.
snort-rules - An UNOFFICIAL Git Repository of Snort Rules(IDS rules) Releases. [UnavailableForLegalReasons - Repository access blocked]
Sentinel-Queries - Collection of KQL queries
awesome-pentest - A collection of awesome penetration testing resources, tools and other shiny things
hid-examples - Examples to accompany the book "Haskell in Depth"