CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

English readme update

Browse Source
This commit is contained in:
Tanaka Zakku
2021-12-11 01:13:25 +09:00
parent f7006a83f3
commit 794b8f2431
1 changed files with 19 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
README-English.md
View File

@@ -130,20 +130,33 @@ hayabusa.exe -d C:\Windows\System32\winevt\Logs -s
We have provided some sample evtx files for you to test hayabusa and/or create new rules at [https://github.com/Yamato-Security/hayabusa-sample-evtx](https://github.com/Yamato-Security/hayabusa-sample-evtx)
# Hayabusa rules
Hayabusa detection rules are written in a sigma-like YAML format.
Hayabusa detection rules are written in a sigma-like YAML format and are located at [https://github.com/Yamato-Security/hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules).
Please read [AboutRuleCreation-English.md](./doc/AboutRuleCreation-English.md) to understand about their format how to create rules.
Please read [AboutRuleCreation-English.md](./doc/AboutRuleCreation-English.md) to understand about the rule format how to create rules.
All of the rules are in the `rules` folder.
`informational` level rules are considered `events`, while anything `low` and higher are considered `alerts`.
The hayabusa rule directory structure is separated into 3 directories: `default` for logs that are turned on by default, `non-default` for logs that need to be turned on through group policy, and `sysmon` for logs that are generated by [sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon).
`informational` level rules are considered `events`, while anything rated `low` and higher are considered `alerts`.
The hayabusa rule directory structure is separated into 3 directories:
* `default`: logs that are turned on by default
* `non-default`: logs that need to be turned on through group policy
* `sysmon`: logs that are generated by [sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon).
* `testing`: a temporary directory to put rules that you are currently testing
Rules are further seperated into directories by log type (Example: Security, System, etc...) and are named in the following format:
* Alert format: `<EventID>_<MITRE ATT&CK Name>_<Description>.yml`
* Alert example: `1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml`
* Event format: `<EventID>_<Description>.yml`
* Event example: `4776_NTLM-LogonToLocalAccount.yml`
Please check out the current rules to use as a template in creating new ones or for checking the detection logic.
## Detection rule tuning
Like firewalls and IDSes, any signature-based tool will require some tuning to fit your environment so you may need to permanently or temporarily exclude certain rules.
You can add a rule ID (Example: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6) to the `config/exclude-rules.txt` in order to ignore any rule you do not need.
You can also add a rule ID to `config/noisy-rules.txt` in order to ignore the rule by default but still be able to use the rule with the `n` or `--show-noisyalerts` option.
You can add a rule ID (Example: 4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6) to `config/exclude-rules.txt` in order to ignore any rule you do not need.
You can also add a rule ID to `config/noisy-rules.txt` in order to ignore the rule by default but still be able to use the rule with the `-n` or `--show-noisyalerts` option.
# Other Windows event log analyzers and related projects
There is no "one tool to rule them all" and we have found that each has its own merits so we recommend checking out these other great tools and projects and seeing which ones you like.