siem-soc-soar-logging.md

SIEM, SOC and logging

SOAR

• w5teams/w5 - Security Orchestration, Automation and Response (SOAR) Platform. 安全编排与自动化响应平台，无需编写代码的安全自动化，使用 SOAR 可以让团队工作更加高效
• flagify-com/OctoMation - OctoMation是一款免费的，具有可视化拖拽功能的编排与自动化产品。通过精心编排的Playbook，OctoMation能够联动数百款安全、网络、IT和SaaS等产品的基础能力。其主要特点包括低代码剧本编排、自动化事件响应、标准化流程操作以及可视化过程监控。 借助OctoMation，运营团队能够开展7x24小时自动化事件响应，不仅可以大幅减少对人员的过度依赖，还能确保团队工作质量始终维持在较高的水准上，最终实现“极速降本增效”

Log analysis / Visualization

• Yamato-Security/WELA - WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs - powershell实现
• countercept/chainsaw - Rapidly Search and Hunt through Windows Event Logs - eventlog分析工具，可以跑sigma规则，rust实现
• Scribery/tlog - Terminal I/O logger
  • USER SESSION RECORDING - An Open Source solution
• JPCERTCC/LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log - 2.5K star，持续更新
• THIBER-ORG/userline - Query and report user logons relations from MS Windows Security Events
• austin-taylor/VulnWhisperer - Create actionable data from your Vulnerability Scans
• sans-blue-team/DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs - 带样例日志
• Windows Security Log Events
• lucky-luk3/Grafiki - Threat Hunting tool about Sysmon and graphs
• ahmedkhlief/APT-Hunter - APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity

Log queries

• SigmaHQ/sigma - Generic Signature Format for SIEM Systems
  • Yamato-Security/hayabusa - Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs
  • Yamato-Security/hayabusa-rules - Detection rules for Hayabusa
• https://www.elastic.co/guide/en/security/current/prebuilt-rules.html
• FalconForceTeam/FalconFriday - Bi-weekly hunting queries
• MHaggis/CBR-Queries - Collection of useful, up to date, Carbon Black Response Queries
• beahunt3r/Windows-Hunting - Aid windows threat hunters to look for some common artifacts during their day to day operations
• Microsoft/WindowsDefenderATP-Hunting-Queries - Sample queries for Advanced hunting in Windows Defender ATP
• Hunting for reconnaissance activities using LDAP search filters - Metasploit/Powerview/Bloudhound的LDAP查询是有特征的
• BlueTeamLabs/sentinel-attack - Repository of sentinel alerts and hunting queries leveraging sysmon and the MITRE ATT&CK framework
• sbousseaden/Slides - Summarized Overview of different hunting paths an Analyst can take per EventId or technique
• menasec.net: Threat Hunting #26 - Remote Windows Service Creation / Recon - 包含 EventLog 的几个查询语句

SIEM

• TheHive-Project/TheHive - TheHive: a Scalable, Open Source and Free Security Incident Response Platform
• uncoder.io - SOC Prime - 转换SIEM查询语句的工具