You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The severity of an attack will change depending on where the attack happened. For example, credential stealing via Mimikatz on a domain controller is much more serious than on a regular employee's workstation. Therefore I want to be able to create a list of computer names in a configuration file ./config/critical_systems.txt and anytime csv-timeline or json-timeline is run, the severity level will be increased by one exception for informational alerts. For example, low now becomes medium, etc...
Since critical is the highest, we will need to create a new level above that. Since I would consider a compromised DC an emergency, I think this would be appropriate naming. emergency alerts, emergency detections, etc..
We need to update the Results Summary outputted at the end to include this information. For the top 5/10 alerts table, we can make the informational alerts only 5 instead of 10 to make room for the top 5 emergency alerts.
I would like to have a different color eventually but for now, we can output the emergency alerts in the same red color as critical alerts.
For the 4 letter abbreviations we use in the level column/field, we can use emer.
Note: I am also planning on adding another command to search for events only found on domain controllers, file servers, etc.. to identify critical systems and make it easy to add the computer names to the config file. I will create a separate issue for that.
@fukusuket Would you be interested in implementing this?
The text was updated successfully, but these errors were encountered:
The severity of an attack will change depending on where the attack happened. For example, credential stealing via Mimikatz on a domain controller is much more serious than on a regular employee's workstation. Therefore I want to be able to create a list of computer names in a configuration file
./config/critical_systems.txtand anytimecsv-timelineorjson-timelineis run, the severity level will be increased by one exception forinformationalalerts. For example,lownow becomesmedium, etc...Since
criticalis the highest, we will need to create a new level above that. Since I would consider a compromised DC an emergency, I think this would be appropriate naming.emergency alerts,emergency detections, etc..We need to update the
Results Summaryoutputted at the end to include this information. For the top 5/10 alerts table, we can make the informational alerts only 5 instead of 10 to make room for the top 5 emergency alerts.I would like to have a different color eventually but for now, we can output the emergency alerts in the same red color as
criticalalerts.For the 4 letter abbreviations we use in the
levelcolumn/field, we can useemer.Note: I am also planning on adding another command to search for events only found on domain controllers, file servers, etc.. to identify critical systems and make it easy to add the computer names to the config file. I will create a separate issue for that.
@fukusuket Would you be interested in implementing this?
The text was updated successfully, but these errors were encountered: