These resources are intended to guide a SIEM team to...
- ... develop a workflow for content creation (and retirement) in the SIEM and other security tools.
- ... illustrate detection coverage provided and highlight coverage gaps as goals to fill.
- ... eliminate or add additional layers of coverage based on organizational needs.
- Ensure proper logs are generated and recorded for sufficient detection, investigation, and compliance.
Without covering the basics, there isn't much point in having a SIEM. Harden your environment and configure appropriate auditing on all endpoints.
- Preparation
- Incident Response Policy Sample
- RSS Feeds
- Email Subscriptions
- Logging
- Notable Event IDs
- IR Tool & Resoures
- Incident Tracking
- Metrics
- After Action Review
- Attacker Tools
To detect an attacker, one must be equipped with the necessary logs to reveal their activities. Here we use a matrix to map detection tactics to attacker tactics (Mitre ATT&CK).
Once necessary logs are collected (detection tactics), use various methods to reveal anomalous, suspicious, and malicious activity.
Use Cases provide a means to document solutions for many reasons including tracking work, uniform response, content recreation, metrics & reporting, making informed decisions, avoiding work duplication, and more.
These efforts can provide significant benefits to some ingested logs. Typically enrichment will result in either adding a new field to events or a lookup table for use in filtering or filling in a field.
- GeoIP/ASN Lookup
- Levenshtein Distance
- Shannon Entropy Scores
- String Lengths
- Top 1 Million Domains
- WHOIS Caching
- DNS Lookup
- Reverse-DNS Lookup
- Certificate Parsing
- O365 Principal App IDs
- Windows Logon Type Lookups
- Windows Status Code Lookups
Set up a lab with a Windows system, a SIEM, and an attacking system to aid in detection research and development.
- Add Use Case Examples
- Add Threat Hunts Library
- Add an object oriented, relational database approach to recording and associating all elements to one another - cases, adversaries, techniques, mitigations, detections, hunts, log sources, etc.