Bluecheck output should be fully parsed by Logstash, and alarms should be made. Data is sent to dedicated bluecheck-* index
[x] Create logstash filter rule for Bluecheck Certcheck (check for TLS cert info on specified domain)
[x] Create logstash filter rule for Bluecheck SecurityTools (check for active AV/EDR/Forensics tools on the host)
[ ] Create logstash filter rule for Bluecheck PasswordCheck (check for password change date of specified account)
[x] Update index patterns and saved objects for updated bluecheck index
[ ] Create alarm for CertCheck: check for change in output for specific domain.
[ ] Create alarm for SecurityToolCheck: check for change in output for running security tools on this host.
[ ] Create alarm for PasswordCheck: ??? not sure yet on how to detect rogue action here, maybe check if multiple accounts are changed on the same date?
Bluecheck output should be fully parsed by Logstash, and alarms should be made. Data is sent to dedicated bluecheck-* index