Mitre rules.xlsx
29.2 KB
📚 یک سری از یوزکیس های مربوط به MITRE ATT&CK که دید و ایده های خوبی برای نوشتن یوزکیس های بهتر ایجاد میکند .
@hypersec
#security
#splunk
#USECASE
شرکت دانش بنیان سورین
@hypersec
#security
#splunk
#USECASE
شرکت دانش بنیان سورین
👍2
🔗Splunk Use Cases
🔏 از این منایع میتوانید جهت گرفتن ایده برای نوشتن کوئری های بهتر استفاده کنید
1️⃣ https://0xcybery.github.io/blog/Splunk+Use+Cases
2️⃣https://github.com/shauntdergrigorian/splunkqueries
@hypersec
#USECASE
#SPL
شرکت دانش بنیان سورین
🔏 از این منایع میتوانید جهت گرفتن ایده برای نوشتن کوئری های بهتر استفاده کنید
1️⃣ https://0xcybery.github.io/blog/Splunk+Use+Cases
2️⃣https://github.com/shauntdergrigorian/splunkqueries
@hypersec
#USECASE
#SPL
شرکت دانش بنیان سورین
0xcybery.github.io
Splunk Use Cases
More than 80 Use Cases for Splunk.
👍1
usecase.pdf
2.2 MB
📚SIEM Use Cases by Paladion
45 use cases for Security Monitoring
#soorin #usecase
@hypersec
شرکت دانش بنیان سورین
45 use cases for Security Monitoring
#soorin #usecase
@hypersec
شرکت دانش بنیان سورین
👍2🙏1
For 4697 EventID: A service was installed in the system
1. Monitor for all events where “Service File Name” is not located in %windir% or “Program Files/Program Files (x86)” folders. Typically new services are located in these folders.
2. check “Service Type” equals “0x1 (Kernel Driver)”, “0x2 (File System Driver)” or “0x8 (Recognizer Driver)”. These service types start first and have almost unlimited access to the operating system from the beginning of operating system startup. These types are rarely installed.
3. check “Service Start Type” equals “0 (Boot)” or “1 (System)”. These service start types are used by drivers, which have unlimited access to the operating system.
4. check “Service Start Type” equals “4”. It is not common to install a new service in the Disabled state.
5. check “Service Account” not equals “localSystem”, “localService” or “networkService” to identify services which are running under a user account.
Credit by : Ahmadreza Norouzi
#SOC #UseCase #Detection
تیم سورین
Please open Telegram to view this post
VIEW IN TELEGRAM
Linkedin
#Security_Monitoring_Recommendations: | Ahmadreza Norouzi
#Security_Monitoring_Recommendations:
For 4697 EventID: A service was installed in the system
1. Monitor for all events where “Service File Name” is not located in %windir% or “Program Files/Program Files (x86)” folders. Typically new services are located…
For 4697 EventID: A service was installed in the system
1. Monitor for all events where “Service File Name” is not located in %windir% or “Program Files/Program Files (x86)” folders. Typically new services are located…
Please open Telegram to view this post
VIEW IN TELEGRAM