deepbluecli for siem

[TheHmadQureshi]

Hi everyone and thanks for this amazing tool. I have a siem in my environment and which is configured to process windows logs(system, security, application) from critical servers meaning i dont have access to evtx files and I want to use signatures of deepbluecli and search them on my siem(qradar btw and dont buy it, it sucks!). any idea if this can be accomplished?

[besimorhino]

Yes, this can be done.

Please review the code. The detection logic begins on line 98 of the PowerShell script. https://github.com/sans-blue-team/DeepBlueCLI/blob/5c0c9723284b9582eb870457ad5c07d666ec9fa6/DeepBlue.ps1#L98

I hope this helps, please let us know... I'd like to be sure you're OK with this response before I close this.

[TheHmadQureshi]

Hey @besimorhino, thanks for replying. seems like i will have to manually identify and create signatures/siem searches based on this script. Yes you may close this ticket.