RedELK icon indicating copy to clipboard operation
RedELK copied to clipboard

Published 20 hours ago verified publisher icon outflanknl

Bluecheck content parsing and alarm

Open MarcOverIP opened this issue 3 years ago • 1 comments

Bluecheck output should be fully parsed by Logstash, and alarms should be made. Data is sent to dedicated bluecheck-* index

  • [x] Create logstash filter rule for Bluecheck Certcheck (check for TLS cert info on specified domain)
  • [x] Create logstash filter rule for Bluecheck SecurityTools (check for active AV/EDR/Forensics tools on the host)
  • [ ] Create logstash filter rule for Bluecheck PasswordCheck (check for password change date of specified account)
  • [x] Update index patterns and saved objects for updated bluecheck index
  • [ ] Create alarm for CertCheck: check for change in output for specific domain.
  • [ ] Create alarm for SecurityToolCheck: check for change in output for running security tools on this host.
  • [ ] Create alarm for PasswordCheck: ??? not sure yet on how to detect rogue action here, maybe check if multiple accounts are changed on the same date?

MarcOverIP avatar Jan 24 '22 21:01 MarcOverIP

Tracked in branch bluecheck-update

MarcOverIP avatar Jan 24 '22 21:01 MarcOverIP