Closed mthcht closed 6 months ago
for the real telemetry logs that is continuously logged (they have a similar format but we only have 3 categories: process, network and authentication):
@tsale I changed the PR, when an alert is triggered for a specific event, but there are no available telemetry logs to support it (for instance, an 'image loaded' event is only logged as an alert when a threat is identified, without continuous telemetry tracking for image loading), I categorize the telemetry as 'No'.
Thanks for the edits @mthcht! I'll approve these changes.
For transparency, I chatted with @mthcht directly regarding this PR requesting more information.
HarfangLab
Description
Please provide the below information so we can validate before merging:
sanitized logs samples:
Process Creation
alert_subtype=process alert_type=sigma log_type=alert
signature="Discovery: Ipconfig"
Process Access
alert_subtype=process alert_type=sigma log_type=alert
signature="LSASS process memory access from unknown module"
Image\/Library Loaded + Driver Loaded
alert_subtype=process alert_type=sigma log_type=alert
signature="LSASS.exe Loads Unsigned DLL"
signature="IOC driver check"
File Manipulation + File Modification + File Creation
signature="File Added/Modified In Startup Directory"
signature="Kerberos Ticket File Exported to Disk"
Local Account Creation + Script-Block Activity
signature="Local User Created via PowerShell"
signature="Powershell: Local User Creation"
Registry Activity
signature="Registry Autorun Key" and other signatures
Key\/Value Modification
signature=Windows Defender Exclusion List Modified
Scheduled Task Creation
signature="Scheduled Task Created in Temporary Directory"
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.
Test Configuration: default
Checklist:
Don't stress yourself out, just answer the above to the best of your ability and we can discuss in the comments 🙂