Hi all ! I have been a pentester but now I'm working on the blue side of things. So anyways I know all the malicious commands, the programs, and what an attacker will type, say into powershell or into their attack machine.
Anyways we have ELK. Looking into Kibana. I can see there are pre-built rules and I can duplicate them and make edits in the custom query. But the custom query looks like it's the output of how Windows will react when something malicious occurs. But what I want to do is add a custom query of common pentesting commands and if they are type & entered then an alert happens.
Like take for instance , basic , like a query for nmap for network scanning , sudo nmap -sC -sV -O -A , etc. I know there is already a pre-built rule for this, but this is just an example. Is there a way in Kibana to write an alert for powershell terminal commands a malicious threat will use directly ? Instead of formatting the custom query on how Windows process take place , etc when an attack happens?