Saved queries, rules and (coming soon) transforms for doing multivariate correlation in the Elastic stack
A set of saved queries for Windows for enumerating the following using OSQuery:
- domains (details of AD domains hosts are members of)
- drivers
- patches (installed Windows patches and hotfixes)
- programs (installed software details)
- scheduled tasks
- server roles
- services
- startup
- users (details of local and / or domain users who have authenticated)
- server roles, patches, installed software, services, scheduled tasks, drivers
Building block rules for creation of building blocks identifying Windows DNS servers and domain controllers