CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-04-28 07:28:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Refactor

Browse Source
This commit is contained in:
defensivedepth
2024-09-23 12:55:07 -04:00
parent 074cc8e6ff
commit ef003ffbb5
6 changed files with 120 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/elasticfleet/files/soc/elastic-defend-custom-filters.yaml
+19 -19
View File
@@ -1,27 +1,27 @@
title: 'Template 1'
id: '2B160E43-3B95-4B50-AA3F-25D99F51FA69'
description: 'Credit @ITProPaul'
references: 'https://github.com/Neo23x0/sysmon-config'
author: 'SOS'
date: '09/18/24'
event_type: 'NetworkConnect'
id: 'This needs to be a UUIDv4 id - https://www.uuidgenerator.net/version4'
description: 'Short description detailing what this rule is filtering and why.'
references: 'Relevant urls, etc'
author: '@SecurityOnion'
date: 'MM/DD/YY'
event_type: 'dns_query'
filter_type: 'exclude'
filter:
selection_1:
TargetField: 'DestinationIp'
Condition: 'begin with'
Pattern: 'fe80:0:0:0'
TargetField: 'QueryName'
Condition: 'end with'
Pattern: '.thawte.com'
---
title: 'Template2'
id: '3B160E43-3B95-4B50-AA3F-25D99F51FA69'
description: 'Credit @ITProPaul'
references: 'https://github.com/Neo23x0/sysmon-config'
author: 'SOS'
date: '09/18/24'
event_type: 'NetworkConnect'
title: 'Template 2'
id: 'This needs to be a UUIDv4 id - https://www.uuidgenerator.net/version4'
description: 'Short description detailing what this rule is filtering and why.'
references: 'Relevant urls, etc'
author: '@SecurityOnion'
date: 'MM/DD/YY'
event_type: 'process_creation'
filter_type: 'exclude'
filter:
selection_1:
TargetField: 'DestinationIp'
Condition: 'begin with'
Pattern: 'fe80:0:0:0'
TargetField: 'ParentImage'
Condition: 'is'
Pattern: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe'