Skip to content

Instantly share code, notes, and snippets.

View frcolumba's full-sized avatar

Robert Wilson frcolumba

View GitHub Profile
@frcolumba
frcolumba / gist:5a2518684ed4e2b18a386fa3647d5629
Created February 6, 2018 20:36
Windows Defender ASR in OSSEC
If you don't have an E5 subscription, run 1709 in your environment, and use OSSEC, you can quickly add the new ASR features
to your alerting and reports since you don't have access to the Defender console thingy.
The event reference is here: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-all-windows-defender-exploit-guard-events
All your need to do is add:
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>

Keybase proof

I hereby claim:

  • I am frcolumba on github.
  • I am frcolumba (https://keybase.io/frcolumba) on keybase.
  • I have a public key whose fingerprint is 4AD2 CF6A 7109 CAFC FF86 88CA B784 22C5 57C2 19DB

To claim this, I am signing this object: