# Performing enterprise-wide DFIR and Threat Hunting with Yamato Security OSS tools - Akira Nishikawa, Fukusuke Takahashi, Zach Mathis {%hackmd @HITCON/HkzqEGQsR %} > 從這裡開始 ### Yamato Security tools - Hayabusa - Takajo - Yamato Security's Windows event log configuration guide for dfir and threat hunting - etc... ### Hayabusa [Yamato-Security/hayabusa: Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.](https://github.com/Yamato-Security/hayabusa) > Sigma rule > [SigmaHQ/sigma: Main Sigma Rule Repository - https://github.com/SigmaHQ/sigma](https://github.com/SigmaHQ/sigma) > Advantage: > Easy to write/read YAML files > many free ,high quality, up-to-date rules > Can convert to any backend out there(Splunk,Elastic,Qradar,KQL,etc......) [Release v2.17.0 🦅 · Yamato-Security/hayabusa 2.17.0 [2024/08/23] "HITCON Release"](https://github.com/Yamato-Security/hayabusa/releases/tag/v2.17.0) ### Takajo [Yamato-Security/takajo: Takajō (鷹匠) is a Hayabusa results analyzer. - https://github.com/Yamato-Security/takajo](https://github.com/Yamato-Security/takajo) ### EnableWindowsLogSettings [Yamato-Security/EnableWindowsLogSettings: Documentation and scripts to properly enable Windows event logs. - https://github.com/Yamato-Security/EnableWindowsLogSettings](https://github.com/Yamato-Security/EnableWindowsLogSettings) #### Sigma's top log sources   most rules require sysmon installed and isn't default settings ### hayabusa-rules & sigma-to-hayabusa-converter [Yamato-Security/hayabusa-rules: Curated Windows event log Sigma rules used in Hayabusa and Velociraptor.](https://github.com/Yamato-Security/hayabusa-rules) [Yamato-Security/sigma-to-hayabusa-converter: Documentation and tools to curate Sigma rules for Windows event logs into easier to parse rules.](https://github.com/Yamato-Security/sigma-to-hayabusa-converter) ``` --> sysmon rules original sigma rules --> built-in event rules ``` sysmon required a lot resources to analyze and storage https://learn.microsoft.com/zh-tw/sysinternals/downloads/sysmon ### scalable dfir built with velociraptor and hayabusas and takajo reason: - Insufficient log collection - Missing agent settings - Rules not detecting attacks - Ignored alerts Most companies do not review 100% of the SIEM / EDR alerts > velociraptor > https://docs.velociraptor.app/ ### Velociraptor environment setup 1. Server module startup 2. Create ... 3. Distribute ... #### Basic 1. request with VQL 2. Return the collected results to the server ### Distribution,execution,and collection of Hayabusa ussing VQL 1. hayabuse + execution VQL with velociraptor on endpoint... 我們用Hayabusa、Velociraptor工具蒐集很多log,下一步我們要如何一次將他們分析 ### easy analysis with Takajo `automagic` command = batch analysis of multiple files 1. download hunt JSONL file from velociraptor web 2. takajo.exe `automagic` command new command `html-report` for today HITCON release [Release v2.6.0 · Yamato-Security/takajo](https://github.com/Yamato-Security/takajo/releases/tag/v2.6.0) "Data with mose total detection" in html report in the left side we can see summary of alerts "mouse" can see the timeline of alerts(different level) ### HTML　Report Future Plans - create a dynamic web server - support HTML report output though ### Open-Source contribution advice - if you are planning to create open source blue team tools, just do it! - creatte something will solve a problem you hav for work - if you don't know what to make,start off by contributing to other open-source projects(Fixing bugs,adding features,etc......) - it does not have to be a tool, it can just be documentation ### Open-Source management advice - make sure there is a leader you can trust - make your project and goals clear - Have a diversity of memners with different strengths and weeknesses. - doing a project with 3 - 5 people is probably the best number - Have good documentation!!! - As a volunteer work,don't force anyone to do anything - never give up! - Have periodic meetings and Make the meeting fun,too - make sure you thank the people who volunteer working on ### Future plans 1. Analysis with AI 2. Analysis with machine learning 3. Suzaku link to the github page: [Yamato Security 大和セキュリティ](https://github.com/Yamato-Security)