SpaceCake-Adama: Searches For Threat Hunting and Security Analytics
Adama
Searches For Threat Hunting and Security Analytics
A collection of known log and/or event data searches for threat hunting and detection. They enumerate sets of searches used across many different data pipelines. Implementation details are for ELK. Adama is part of the SpaceCake project which is a set of hunts, searches, alerts, visualizations and data pipelines for intrusion detection, security analytics and threat hunting using F/OSS (free and open-source) tools.
Contents
Authentication – searches for authentication data sets hunting for brute force, credential compromise, credentialed persistence and session fixation/hijacking
Cloud – searches for cloud and virtualization specific threats using API and cloud-centric data
Correlation – search techniques that combine different events in order to make complex and sophisticated detections
Cross-platform – general purpose searches for threat hunting on hosts. These behavioral detection techniques are relevant to Linux, MacOS and Windows hosts
Database – searches for database monitoring and compromise
Exfiltration – a list of known data exfiltration techniques and related searches
Linux – searches for threat hunting on Linux hosts
Mac – searches for threat hunting on Linux hosts
Machine Learning – Anomaly detection searches using the significant terms aggregation; good for finding things that evade conventional rules.
Network – searches for threat hunting using network data like IDS, proxy and flow events
Web – searches for detecting attacks on web services using web server logs
Windows – searches for threat hunting on Windows hosts
Download
git clone https://github.com/randomuserid/SpaceCake-Adama.git
Copyright (C) 2018 – 2019 by Craig Chamberlain.
Source: https://github.com/randomuserid/
