Adama

Searches For Threat Hunting and Security Analytics

A collection of known log and / or event data searches for threat hunting and detection. They enumerate sets of searches used across many different data pipelines. Implementation details are for ELK. Adama is part of the SpaceCake project which is a set of hunts, searches, alerts, visualizations and data pipelines for for intrusion detection, security analytics and threat hunting using F/OSS (free and open source) tools

Contents

Authentication - searches for authentication data sets hunting for brute force, credential compromise, credentialed persistence and session fixation / hijacking

Cloud - searches for cloud and virtualization specific threats using API and cloud centric data

Correlation - search techniques that combine different events in order to make complex and sophisticated detections

Cross-platform - general purpose searches for threat hunting on hosts. These behavioral detection techniques are relevant to Linux, MacOS and Windows hosts

Database - searches for database monitoring and compromise

Exfiltration - a list of known data exfiltration techniques and related searches

Linux - searches for threat hunting on Linux hosts

Mac - searches for threat hunting on Linux hosts

Machine Learning - Anomaly detection searches using the significant terms aggregation; good for finding things that evade conventional rules.

Network - searches for threat hunting using network data like IDS, proxy and flow events

Web - searches for detecting attacks on web servicers using web server logs

Windows - searches for threat hunting on Windows hosts