Good morning everyone,
I have recently setup ELK with elastic on cloud and I am in the process of configuring watch. I want to mainly use this to monitor my environment from suspicious events like: new user created, 5-10 failed login attempts, new task scheduled, new process created, user try to escalate privilege's, etc.
As we all know this may be time consuming. I was wondering if you know any repo/site with already created Jason queries that I can use?
I found a great website:
https://uncoder.io/ that allows to create elastic queries but I haven't figure out how to do it yet.
Maybe we should create a separate thread where people can share advance watch rules written in Jason. Maybe we already have something like this ?