sysmon-modular
A repository of sysmon configuration modules (by olafhartong)
sigma
Main Sigma Rule Repository (by Neo23x0)
Our great sponsors
sysmon-modular | sigma | |
---|---|---|
15 | 41 | |
2,485 | 7,598 | |
- | 3.1% | |
6.8 | 9.8 | |
2 months ago | 7 days ago | |
PowerShell | Python | |
MIT License | GNU General Public License v3.0 or later |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sysmon-modular
Posts with mentions or reviews of sysmon-modular.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-06-29.
-
Sysmon 15.0 is out now with advanced features
I was specifically using the https://github.com/olafhartong/sysmon-modular config, but once we started seeing systems crash I tried building extremely minimal configs and still found them causing hangs.
-
Splunk & Sysmon as SIEM
I use this one: https://github.com/olafhartong/sysmon-modular
-
Looking for inputs and validation for this network setup.
2) There are many opensource solutions, and you hit on all the important ones. Think creativitly, and test all your controls. hit your boxes with Metaspoilt and atomic redteam. These tools will help you verify that you have the proper controls in place, and that you are able to detect attacks (successful, and failed). Run auditd with Florian Roth's rule set on your linux boxes (https://github.com/Neo23x0/auditd/blob/master/audit.rules ), and sysmon (https://github.com/olafhartong/sysmon-modular) on windows.
- Researching SIEM
-
Is Windows Defender for Business any good?
Agree. Harden your endpoints (if unsure where to start consider hardening kitty, https://github.com/scipag/HardeningKitty) and harden Defender (https://0ut3r.space/2022/03/06/windows-defender/). Add Sysmon with a good config (https://github.com/olafhartong/sysmon-modular) and you've reached a good starting point.
- New blue team
- Microsoft recommend Sysmon and EDR
-
Security Cadence: Sysmon (Logging Part 2 out of ?????)
Another really excellent resource (also called out by Swift) is Olaf Hartong’s Sysmon-Modular project: https://github.com/olafhartong/sysmon-modular As well as having a few full configs, Olaf’s project has modular XML configurations for each supported Sysmon Event ID. This can be incredibly helpful for fine tuning your configs.
-
splunk sysmon events
Yes absolutely. This is a very common workflow for both. One note is that you need to also find a sysmon config to use as well, and there's no easy way to manage either sysmon or its config through Splunk. Recommendations for a config are either SwiftOnSecurity's or Olaf's SysmonModular. They significantly overlap and work with each other on patches. SwiftOnSecurity's is a better pure drop-in, and Olaf's is better if you want to do customization.
-
Best monitoring software that works like event logs?
For some of the items you mentioned having a good sysmon config would help too. https://github.com/SwiftOnSecurity/sysmon-config or https://github.com/olafhartong/sysmon-modular are good starting points
sigma
Posts with mentions or reviews of sigma.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-07-05.
-
Sigma rules in real life
Sigma rules https://github.com/SigmaHQ/sigma its value, I get it. Here’s a post https://www.linkedin.com/posts/nasreddinebencherchali_detection-blueteam-sigma-activity-7104868070069817344-mn91?utm_source=share&utm_medium=member_desktop detailing that 31 Sigma rules from the Sigma repository are triggering on different stages of the attack as described here https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
-
Looking for feedback on a security-related project idea
Idea: A free and open-source web repository of Sigma detections where users can find, contribute, and suggest edits to detections. All user contributions will go through a StackExchange-style moderation queue. Built-in conversion from Sigma to the query language of your choice.
-
SOC SIEM Use Cases for First Internship
If you want more ideas/inspiration, or even just a starting point for baseline rule logic check out https://github.com/SigmaHQ/sigma https://github.com/SigmaHQ/sigma and look into the different rules folders there.
-
How do you actually threat hunt?
Agreed in general. But with stuff like SIGMA, I'd lean towards stuff should going into git. Better version control, your docs can be markdown and live right next to your threat library, you can strap on CI/CD (so you can deploy/run stuff as part of a pipeline). Confluence is a great start, but it doesn't scale well.
- Open Source SIEM Tools
-
Detection Engineering Source Websites
Have a look a sigma rules: https://github.com/SigmaHQ/sigma
- Scheduling query to look for whenever net group is ran.
- Scheduling querying that looks for anytime net group is ran.
-
3CX Customers suffering intrusions
Sigma: https://github.com/SigmaHQ/sigma/pull/4151/files Yara: https://github.com/Neo23x0/signature-base/blob/master/yara/gen\_mal\_3cx\_compromise\_mar23.yar source: https://twitter.com/cyb3rops/status/1641130326830333984?s=20
-
Any Suggestions On Creating A Detection Rule In Defender For CVE-2023-23397
I created a Defender Advanced Hunting query based of the Sigma rule https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml
What are some alternatives?
When comparing sysmon-modular and sigma you can also consider the following projects:
sysmon-config - Sysmon configuration file template with default high-quality event tracing
Wazuh - Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
atomic-red-team - Small and highly portable detection tests based on MITRE's ATT&CK.
DetectionLabELK - DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.
auditd - Best Practice Auditd Configuration
wazuh-ruleset - Wazuh - Ruleset
SysmonForLinux
velociraptor - Digging Deeper....
Windows-Toolkit - PS one-liner cmdlets for Windows security
OpenSIEM-Logstash-Parsing - SIEM Logstash parsing for more than hundred technologies
sysmon-modular vs sysmon-config
sigma vs Wazuh
sysmon-modular vs atomic-red-team
sigma vs sysmon-config
sysmon-modular vs DetectionLabELK
sigma vs atomic-red-team
sysmon-modular vs auditd
sigma vs wazuh-ruleset
sysmon-modular vs SysmonForLinux
sigma vs velociraptor
sysmon-modular vs Windows-Toolkit
sigma vs OpenSIEM-Logstash-Parsing