CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

most detections summary by date (#551)

Browse Source 
* added Date with most detections by level #550

* cargo fmt

* updated changelog #550

* updated readme #550

* removed  most undefined detections date in summary #550

* cargo fmt

* add space after level tuning

* changed undefined rule detection count to no show #550

* cargo fmt

* readme update

* channel abb update

* channel abb update

* readme update

Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
This commit is contained in:
DustInDark
2022-05-31 22:29:51 +09:00
committed by GitHub
parent 4c1aa94eba
commit 7a7afe732c
7 changed files with 96 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@@ -65,6 +65,7 @@ Hayabusa is a **Windows event log fast forensics timeline generator** and **thre
- [Progress Bar](#progress-bar)
- [Color Output](#color-output)
- [Event Fequency Timeline](#event-fequency-timeline)
- [Dates with most detections categorized by level](#dates-with-most-detections-categorized-by-level)
- [Hayabusa Rules](#hayabusa-rules)
- [Hayabusa v.s. Converted Sigma Rules](#hayabusa-vs-converted-sigma-rules)
- [Detection Rule Tuning](#detection-rule-tuning)
@@ -527,7 +528,7 @@ If you want to output all the tags defined in a rule, please specify the `--all-
## Channel Abbreviations
In order to save space, we use the following abbreviations when displaying Channel.
You can freely edit these abbreviations in the `config/config/channel_abbreviations.txt` configuration file.
You can freely edit these abbreviations in the `config/channel_abbreviations.txt` configuration file.
* `Application` : App
* `DNS Server` : DNS-Svr
@@ -542,6 +543,8 @@ You can freely edit these abbreviations in the `config/config/channel_abbreviati
* `Microsoft-Windows-DHCP-Server/Operational` : DHCP-Svr
* `Microsoft-Windows-DriverFrameworks-UserMode/Operational` : DvrFmwk
* `Microsoft-Windows-NTLM/Operational` : NTLM
* `Microsoft-Windows-Security-Mitigations/KernelMode` : SecMitigations
* `Microsoft-Windows-Security-Mitigations/UserMode` : SecMitigations
* `Microsoft-Windows-SmbClient/Security` : SmbCliSec
* `Microsoft-Windows-Sysmon/Operational` : Sysmon
* `Microsoft-Windows-TaskScheduler/Operational` : TaskSch
@@ -572,6 +575,10 @@ If you want to disable color output, you can use `--no-color` option.
The Event Frequency Timeline feature displays a sparkline frequency timeline of detected events.
Note: There needs to be more than 5 events.
## Dates with most detections categorized by level
A summary of the dates with the most detections categorized by level (`critical`, `high`, etc...).
# Hayabusa Rules
Hayabusa detection rules are written in a sigma-like YML format and are located in the `rules` folder. In the future, we plan to host the rules at [https://github.com/Yamato-Security/hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules) so please send any issues and pull requests for rules there instead of the main hayabusa repository.