I hereby claim:
- I am frcolumba on github.
- I am frcolumba (https://keybase.io/frcolumba) on keybase.
- I have a public key whose fingerprint is 4AD2 CF6A 7109 CAFC FF86 88CA B784 22C5 57C2 19DB
To claim this, I am signing this object:
Robert Wilson frcolumba
frcolumba
/ key base.md
Created
June 8, 2016 01:34
frcolumba
/ gist:5a2518684ed4e2b18a386fa3647d5629
Created
February 6, 2018 20:36
Windows Defender ASR in OSSEC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| If you don't have an E5 subscription, run 1709 in your environment, and use OSSEC, you can quickly add the new ASR features | |
| to your alerting and reports since you don't have access to the Defender console thingy. | |
| The event reference is here: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-all-windows-defender-exploit-guard-events | |
| All your need to do is add: | |
| <localfile> | |
| <location>Microsoft-Windows-Windows Defender/Operational</location> | |
| <log_format>eventchannel</log_format> |