What is this PR for?
Additional of two native Elastalert rules to the repo. (sigmac conversion not currently working correctly so I've created these for now)
PLEASE NOTE : to replay events with elastalert, you will need add the following line to the rule being tested before replaying so elastalert is looking at the timestamp of ingestion:
Cyb3rWard0g
commented
3 years ago
What is this PR for? Additional of two native Elastalert rules to the repo. (sigmac conversion not currently working correctly so I've created these for now)
What type of PR is it? HELK Elastalert rules
How should this be tested?
Tested by replaying events.
DE_1102_security_log_cleared.evtx
sysmon_10_11_lsass_memdump.evtx
PLEASE NOTE : to replay events with elastalert, you will need add the following line to the rule being tested before replaying so elastalert is looking at the timestamp of ingestion:
Questions: