security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: new log channel windows-codeintegrity-operational

Browse Source 
https://twitter.com/SBousseaden/status/1483810148602814466
This commit is contained in:
Florian Roth
2022-01-20 09:44:36 +01:00
parent 49502f3796
commit 68f0cdf338
14 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/config/elk-windows.yml
+5
View File
@@ -57,6 +57,11 @@ logsources:
service: printservice-operational
conditions:
EventLog: 'Microsoft-Windows-PrintService/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
EventLog: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
tools/config/elk-winlogbeat-sp.yml
+5
View File
@@ -57,6 +57,11 @@ logsources:
service: printservice-operational
conditions:
log_name: 'Microsoft-Windows-PrintService/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
log_name: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
tools/config/elk-winlogbeat.yml
+5
View File
@@ -57,6 +57,11 @@ logsources:
service: printservice-operational
conditions:
log_name: 'Microsoft-Windows-PrintService/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
log_name: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
tools/config/fireeye-helix.yml
+5
View File
@@ -81,6 +81,11 @@ logsources:
service: printservice-operational
conditions:
channel: 'Microsoft-Windows-PrintService/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
index: windows
tools/config/hawk.yml
+5
View File
@@ -356,6 +356,11 @@ logsources:
service: printservice-operational
conditions:
product_name: 'PrintService'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
product_name: 'CodeIntegrity'
windows-smbclient-security:
product: windows
service: smbclient-security
tools/config/logpoint-windows.yml
+5
View File
@@ -57,6 +57,11 @@ logsources:
service: printservice-operational
conditions:
event_source: 'Microsoft-Windows-PrintService/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
event_source: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
tools/config/logstash-windows.yml
+5
View File
@@ -78,6 +78,11 @@ logsources:
service: printservice-operational
conditions:
Channel: 'Microsoft-Windows-PrintService/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
Channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
tools/config/powershell.yml
+5
View File
@@ -98,6 +98,11 @@ logsources:
service: printservice-operational
conditions:
LogName: 'Microsoft-Windows-PrintService/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
LogName: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
tools/config/splunk-windows.yml
+5
View File
@@ -107,6 +107,11 @@ logsources:
service: printservice-operational
conditions:
source: 'WinEventLog:Microsoft-Windows-PrintService/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
source: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
tools/config/sumologic.yml
+5
View File
@@ -81,6 +81,11 @@ logsources:
service: printservice-operational
conditions:
EventChannel: 'Microsoft-Windows-PrintService/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
EventChannel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
tools/config/thor.yml
+5
View File
@@ -315,6 +315,11 @@ logsources:
service: printservice-operational
sources:
- "WinEventLog:Microsoft-Windows-PrintService/Operational"
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
sources:
- "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational"
windows-applocker:
product: windows
service: applocker
tools/config/winlogbeat-modules-enabled.yml
+5
View File
@@ -81,6 +81,11 @@ logsources:
service: printservice-operational
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
tools/config/winlogbeat.yml
+5
View File
@@ -80,6 +80,11 @@ logsources:
service: printservice-operational
conditions:
winlog.channel: 'Microsoft-Windows-PrintService/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
winlog.channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security
tools/config/zircolite.yml
+5
View File
@@ -68,6 +68,11 @@ logsources:
service: printservice-operational
conditions:
Channel: 'Microsoft-Windows-PrintService/Operational'
windows-codeintegrity-operational:
product: windows
service: codeintegrity-operational
conditions:
Channel: 'Microsoft-Windows-CodeIntegrity/Operational'
windows-smbclient-security:
product: windows
service: smbclient-security