CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

display computers with most alerts (#558)

Browse Source 
* added top3 alert by level and computer #557

* cargo fmt

* updated changelog #557

* updated readme #557

* added output when one computer name in level. #557

* updated screenshot

* updated rules

* add SOF-ELK link

* readme update

* readme update

* cargo fmt

* change display num from 3 to 5 #557

* excluded count when computer name is "-" in event and fixed output #557

- removed warn output.

- changed output when count is 0.

* cargo fmt

* changed computer name summary to filter unique computer name and rule path pair #557

* cargo fmt

* readme update change order of output

* changelog update

* fixed crash bug when level is not valid #560 #557

Co-authored-by: Tanaka Zakku <71482215+YamatoSecurity@users.noreply.github.com>
This commit is contained in:
DustInDark
2022-06-03 12:01:14 +09:00
committed by GitHub
parent af5a85fc0c
commit 9e1fabb21e
7 changed files with 103 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@@ -65,7 +65,8 @@ Hayabusa is a **Windows event log fast forensics timeline generator** and **thre
- [Progress Bar](#progress-bar)
- [Color Output](#color-output)
- [Event Fequency Timeline](#event-fequency-timeline)
- [Dates with most detections categorized by level](#dates-with-most-detections-categorized-by-level)
- [Dates with most total detections](#dates-with-most-total-detections)
- [Top 5 computers with most unique detections](#top-5-computers-with-most-unique-detections)
- [Hayabusa Rules](#hayabusa-rules)
- [Hayabusa v.s. Converted Sigma Rules](#hayabusa-vs-converted-sigma-rules)
- [Detection Rule Tuning](#detection-rule-tuning)
@@ -575,9 +576,13 @@ If you want to disable color output, you can use `--no-color` option.
The Event Frequency Timeline feature displays a sparkline frequency timeline of detected events.
Note: There needs to be more than 5 events.
## Dates with most detections categorized by level
## Dates with most total detections
A summary of the dates with the most detections categorized by level (`critical`, `high`, etc...).
A summary of the dates with the most total detections categorized by level (`critical`, `high`, etc...).
## Top 5 computers with most unique detections
The top 5 computers with the most unique detections categorized by level (`critical`, `high`, etc...).
# Hayabusa Rules
@@ -675,6 +680,7 @@ There is no "one tool to rule them all" and we have found that each has its own
* [LogonTracer](https://github.com/JPCERTCC/LogonTracer) - A graphical interface to visualize logons to detect lateral movement by [JPCERTCC](https://twitter.com/jpcert_en).
* [RustyBlue](https://github.com/Yamato-Security/RustyBlue) - Rust port of DeepBlueCLI by Yamato Security.
* [Sigma](https://github.com/SigmaHQ/sigma) - Community based generic SIEM rules.
* [SOF-ELK](https://github.com/philhagen/sof-elk) - A pre-packaged VM with Elastic Stack to import data for DFIR analysis by [Phil Hagen](https://twitter.com/philhagen)
* [so-import-evtx](https://docs.securityonion.net/en/2.3/so-import-evtx.html) - Import evtx files into Security Onion.
* [SysmonTools](https://github.com/nshalabi/SysmonTools) - Configuration and off-line log visualization tool for Sysmon.
* [Timeline Explorer](https://ericzimmerman.github.io/#!index.md) - The best CSV timeline analyzer by [Eric Zimmerman](https://twitter.com/ericrzimmerman).