Update README.md

Signed-off-by: LUIZ HAMILTON ROBERTO DA SILVA <[email protected]>

Author: brazilianscriptguy

BlueTeam-Tools/README.md

@@ -1,118 +1,165 @@
-# 🛡️ BlueTeam-Tools  
-### DFIR · Event Logs · Incident Response · Forensic Readiness
+# 🔵 BlueTeam-Tools Suite  
+### DFIR · Forensic Readiness · Security Visibility
 
-[![Parent Repo](https://img.shields.io/badge/Parent-Windows--SysAdmin--ProSuite-181717?style=for-the-badge&logo=github)](https://github.com/brazilianscriptguy/Windows-SysAdmin-ProSuite)
+[![Parent](https://img.shields.io/badge/Parent-Windows--SysAdmin--ProSuite-181717?style=for-the-badge&logo=github)](../)
+[![BlueTeam](https://img.shields.io/badge/BlueTeam-DFIR-orange?style=for-the-badge)]()
+[![Forensics](https://img.shields.io/badge/Domain-Digital%20Forensics-black?style=for-the-badge)]()
+[![Security](https://img.shields.io/badge/Domain-Cybersecurity-critical?style=for-the-badge)]()
 [![PowerShell](https://img.shields.io/badge/PowerShell-5.1%20%7C%207.x-5391FE?style=for-the-badge&logo=powershell&logoColor=white)]()
-[![Windows](https://img.shields.io/badge/Windows-10%20%7C%2011%20%7C%20Server-0078D6?style=for-the-badge&logo=windows&logoColor=white)]()
-[![DFIR](https://img.shields.io/badge/Domain-DFIR-critical?style=for-the-badge)]()
-[![Security](https://img.shields.io/badge/Focus-Cybersecurity-red?style=for-the-badge&logo=security)]()
-[![Forensics](https://img.shields.io/badge/Focus-Digital%20Forensics-black?style=for-the-badge)]()
+[![Windows](https://img.shields.io/badge/Windows-Server%20%7C%2010%20%7C%2011-0078D6?style=for-the-badge&logo=windows&logoColor=white)]()
 
-**BlueTeam-Tools** is the defensive security and forensic analysis pillar of the  
-**Windows-SysAdmin-ProSuite**, providing enterprise-grade PowerShell tooling for:
+---
+
+## 🧭 Overview
+
+[![Purpose](https://img.shields.io/badge/Purpose-Forensic%20Operations-blue?style=for-the-badge)]()
+[![Design](https://img.shields.io/badge/Design-Auditable-success?style=for-the-badge)]()
+[![Execution](https://img.shields.io/badge/Execution-Deterministic-6A5ACD?style=for-the-badge)]()
+
+The **BlueTeam-Tools Suite** is a **forensic-grade PowerShell toolkit** designed for **Blue Team**, **DFIR**, and **Cybersecurity Operations** within Windows enterprise and public-sector environments.
 
-- 🔍 Threat detection and investigation  
-- 🧾 Windows Event Log analysis  
-- 🕵️ Incident response support  
-- 📊 Audit-ready forensic reporting  
+It provides **repeatable**, **auditable**, and **incident-ready** tooling to support:
+
+- Live-response operations  
+- Event correlation and threat hunting  
+- Evidence collection and forensic readiness  
+- Security posture validation and audit support  
+
+All tools follow the same engineering principles applied across **Windows-SysAdmin-ProSuite**:  
+**deterministic execution, structured logging, and governance alignment**.
 
 ---
 
-## 🎯 Operational Scope
+## 🧪 Core Capabilities
 
-[![Blue Team](https://img.shields.io/badge/Team-Blue%20Team-blue?style=for-the-badge)]()
-[![SOC](https://img.shields.io/badge/Environment-SOC-003366?style=for-the-badge)]()
-[![IR](https://img.shields.io/badge/Capability-Incident%20Response-darkred?style=for-the-badge)]()
-[![Audit](https://img.shields.io/badge/Use-Audit%20%26%20Compliance-success?style=for-the-badge)]()
+[![Forensics](https://img.shields.io/badge/Forensics-Ready-black?style=for-the-badge)]()
+[![Logging](https://img.shields.io/badge/Logging-Structured-success?style=for-the-badge)]()
+[![Reports](https://img.shields.io/badge/Reports-CSV%20%7C%20LOG-informational?style=for-the-badge)]()
+[![GUI](https://img.shields.io/badge/GUI-Available-blueviolet?style=for-the-badge)]()
 
-Designed to support:
+- 🔍 **Forensic Automation**  
+  Extraction of Windows Event Logs, registry artifacts, network sessions, user activity, and volatile system state.
 
-- Security Operations Centers (SOC)
-- DFIR teams
-- Judicial and public-sector investigations
-- Enterprise security audits
-- Post-incident technical reporting
+- 🛡️ **Incident Response Support**  
+  Live-response data capture, evidence preservation, and correlation during active or post-incident scenarios.
+
+- 📊 **Security Visibility & Auditability**  
+  Policy validation, configuration auditing, and exportable `.csv` / `.log` artifacts suitable for compliance and investigations.
 
 ---
 
-## 🧠 Core Capabilities
+## 🧩 Script Categories & Architecture
 
-[![Event Logs](https://img.shields.io/badge/EventLogs-EVTX%20Analysis-orange?style=for-the-badge)]()
-[![Timeline](https://img.shields.io/badge/Forensics-Timeline%20Reconstruction-black?style=for-the-badge)]()
-[![Correlation](https://img.shields.io/badge/Analysis-Correlation-informational?style=for-the-badge)]()
-[![Artifacts](https://img.shields.io/badge/Artifacts-Windows%20Artifacts-blueviolet?style=for-the-badge)]()
+[![Architecture](https://img.shields.io/badge/Architecture-Modular-008080?style=for-the-badge)]()
+[![Integration](https://img.shields.io/badge/Integration-IR%20Pipelines-4B0082?style=for-the-badge)]()
+[![Structure](https://img.shields.io/badge/Structure-Folder%20Based-2F4F4F?style=for-the-badge)]()
 
-- Parsing and querying Windows Event Logs (EVTX)
-- Detection of anomalous authentication behavior
-- Timeline reconstruction of user and system activity
-- Identification of lateral movement indicators
-- Correlation of logon, privilege, and service events
+| Component | Purpose | Documentation |
+|---------|---------|---------------|
+| **EventLogMonitoring** | Security-focused analysis of Windows Event Logs, including authentication failures, privilege escalation, lateral movement indicators, and policy violations. | [![Docs](https://img.shields.io/badge/View-README-0A66C2?style=for-the-badge&logo=github)](EventLogMonitoring/README.md) |
+| **IncidentResponse** | Live-response and post-incident utilities for volatile artifacts, active sessions, system metadata, and threat indicators. | [![Docs](https://img.shields.io/badge/View-README-0A66C2?style=for-the-badge&logo=github)](IncidentResponse/README.md) |
+
+> Folder structure reflects **operational separation**, not execution order.
 
 ---
 
-## 🧩 Directory Structure
-
-```text
-BlueTeam-Tools/
-│
-├─ EventLogMonitoring/
-│   ├─ Authentication analysis
-│   ├─ Privilege escalation detection
-│   └─ Logon/session correlation
-│
-├─ IncidentResponse/
-│   ├─ Rapid triage scripts
-│   ├─ Evidence-oriented collection
-│   └─ Post-incident review helpers
-│
-└─ README.md
-```
+## 🏛️ Scope & Target Audience
+
+[![Audience](https://img.shields.io/badge/Audience-Blue%20Team-orange?style=for-the-badge)]()
+[![Audience](https://img.shields.io/badge/Audience-DFIR-darkred?style=for-the-badge)]()
+[![Audience](https://img.shields.io/badge/Audience-Public%20Sector-0047AB?style=for-the-badge)]()
+[![Audience](https://img.shields.io/badge/Audience-Enterprise%20SOC-2E8B57?style=for-the-badge)]()
+
+Designed for professionals operating in:
+
+- Security Operations Centers (SOC)
+- Digital Forensics & Incident Response (DFIR)
+- Identity & Access Management investigations
+- Compliance, audit, and governance workflows
+- Public-sector and regulated environments
 
 ---
 
-## 📤 Outputs & Evidence Handling
+## ⚙️ Requirements & Environment
+
+[![PS](https://img.shields.io/badge/PowerShell-Minimum%205.1-5391FE?style=for-the-badge&logo=powershell)]()
+[![Privileges](https://img.shields.io/badge/Privileges-Administrator-critical?style=for-the-badge)]()
+[![Compatibility](https://img.shields.io/badge/Compatibility-Windows%20Native-success?style=for-the-badge)]()
 
-[![Logs](https://img.shields.io/badge/Logs-Structured-success?style=for-the-badge)]()
-[![CSV](https://img.shields.io/badge/Reports-CSV-informational?style=for-the-badge)]()
-[![Chain of Custody](https://img.shields.io/badge/Forensics-Chain%20of%20Custody-black?style=for-the-badge)]()
+- **PowerShell**  
+  Minimum **5.1** (PowerShell 7+ supported)
 
-Most tools generate:
+```powershell
+$PSVersionTable.PSVersion
+```
+
+- **Administrative Privileges**  
+  Required to access protected system artifacts.
+
+- **RSAT (when applicable)**
+
+```powershell
+Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online
+```
+
+- **Execution Policy (session-scoped)**
+
+```powershell
+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process
+```
 
-- `.log` execution logs
-- `.csv` structured datasets
-- Timestamped artifacts
-- Reproducible outputs suitable for audits and investigations
+- **Optional Modules**  
+  `ActiveDirectory`, `Defender`, `DHCPServer`
 
 ---
 
-## 🏛️ Governance & Forensic Principles
+## 🚀 Getting Started
 
-[![Forensic Soundness](https://img.shields.io/badge/Principle-Forensic%20Soundness-critical?style=for-the-badge)]()
-[![Auditability](https://img.shields.io/badge/Principle-Auditability-success?style=for-the-badge)]()
-[![Reproducibility](https://img.shields.io/badge/Principle-Reproducibility-blue?style=for-the-badge)]()
+[![Clone](https://img.shields.io/badge/Access-Git%20Clone-181717?style=for-the-badge&logo=github)]()
+[![Workflow](https://img.shields.io/badge/Workflow-Review%20→%20Execute-blue?style=for-the-badge)]()
 
-- Non-destructive data handling
-- Minimal system interaction
-- Explicit logging of all actions
-- Deterministic execution paths
+```powershell
+git clone https://github.com/brazilianscriptguy/Windows-SysAdmin-ProSuite.git
+cd Windows-SysAdmin-ProSuite/BlueTeam-Tools
+```
+
+**Recommended workflow:**
+
+1. Select the appropriate category  
+2. Review the local `README.md`  
+3. Execute the script  
+4. Review generated `.log` and `.csv` artifacts  
+
+> ⚠️ Always validate execution context before running in production or investigative environments.
 
 ---
 
-## ⚙️ Requirements
+## 🔗 Integration & Interoperability
 
-[![PowerShell](https://img.shields.io/badge/PowerShell-5.1%20Required-5391FE?style=for-the-badge&logo=powershell)]()
-[![Admin](https://img.shields.io/badge/Privileges-Administrator-critical?style=for-the-badge)]()
-[![OS](https://img.shields.io/badge/OS-Windows%20Only-0078D6?style=for-the-badge&logo=windows)]()
+[![Integration](https://img.shields.io/badge/Integration-GPO-blue?style=for-the-badge)]()
+[![Integration](https://img.shields.io/badge/Integration-Scheduled%20Tasks-4682B4?style=for-the-badge)]()
+[![Integration](https://img.shields.io/badge/Integration-SIEM-informational?style=for-the-badge)]()
+
+BlueTeam tools are designed to integrate with:
+
+- Incident response playbooks  
+- GPO-based execution models  
+- Scheduled forensic snapshots  
+- SIEM ingestion pipelines  
+- Compliance and audit evidence chains  
 
 ---
 
-## 📬 Contact & Support
+## 🤝 Support & Community
 
-[![Email](https://img.shields.io/badge/Email-luizhamilton.lhr%40gmail.com-D14836?style=for-the-badge&logo=gmail)](mailto:[email protected])
-[![Buy Me a Coffee](https://img.shields.io/badge/Buy%20Me%20a%20Coffee-Support-yellow?style=for-the-badge&logo=buymeacoffee)](https://buymeacoffee.com/brazilianscriptguy)
-[![Ko--fi](https://img.shields.io/badge/Ko--fi-Support-blue?style=for-the-badge&logo=kofi)](https://ko-fi.com/brazilianscriptguy)
-[![Patreon](https://img.shields.io/badge/Patreon-Support-red?style=for-the-badge&logo=patreon)](https://www.patreon.com/brazilianscriptguy)
+[![Email](https://img.shields.io/badge/[email protected]?style=for-the-badge&logo=gmail)](mailto:[email protected])
+[![Patreon](https://img.shields.io/badge/Support-Patreon-red?style=for-the-badge&logo=patreon)](https://patreon.com/brazilianscriptguy)
+[![BuyMeACoffee](https://img.shields.io/badge/Support-Buy%20Me%20a%20Coffee-yellow?style=for-the-badge&logo=buymeacoffee)](https://buymeacoffee.com/brazilianscriptguy)
+[![Ko-fi](https://img.shields.io/badge/Support-Ko--fi-blue?style=for-the-badge&logo=kofi)](https://ko-fi.com/brazilianscriptguy)
+[![GoFundMe](https://img.shields.io/badge/Support-GoFundMe-green?style=for-the-badge&logo=gofundme)](https://gofundme.com/f/brazilianscriptguy)
 
 ---
 
-© 2026 Luiz Hamilton Silva — BlueTeam-Tools
+> 🛡️ _BlueTeam-Tools Suite is engineered for environments where **forensics, response, governance, and auditability converge**._
+
+© 2026 Luiz Hamilton Silva. All rights reserved.