Skip to content

TonyPhipps/SIEM

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

416 Commits
Lab
Lab
 
 
Lookups
Lookups
 
 
Policy
Policy
 
 
Signatures/Splunk
Signatures/Splunk
 
 
Splunk
Splunk
 
 
Tactics
Tactics
 
 
UseCases
UseCases
 
 
hardening
hardening
 
 
.gitignore
.gitignore
 
 
Detect.ods
Detect.ods
 
 
Detection-Library-Structure.md
Detection-Library-Structure.md
 
 
Detection-Methods.md
Detection-Methods.md
 
 
Detection-Tactics.md
Detection-Tactics.md
 
 
LICENSE
LICENSE
 
 
Logging.md
Logging.md
 
 
Metrics.md
Metrics.md
 
 
Notable-Event-IDs.md
Notable-Event-IDs.md
 
 
README.md
README.md
 
 
Threat-Hunting.md
Threat-Hunting.md
 
 
Use-Case-Structure.md
Use-Case-Structure.md
 
 
Use-Cases.md
Use-Cases.md
 
 
attack-tools-resources.md
attack-tools-resources.md
 
 
dashboards.md
dashboards.md
 
 
field-kit.md
field-kit.md
 
 
incident-tracking.md
incident-tracking.md
 
 
interview-questions.md
interview-questions.md
 
 
mitigation-categories.md
mitigation-categories.md
 
 
osintel.md
osintel.md
 
 
response-tools-resources.md
response-tools-resources.md
 
 
technical-documentation.md
technical-documentation.md
 
 

Repository files navigation

These resources are intended to guide a SIEM team to...

  • ... develop a workflow for content creation (and retirement) in the SIEM and other security tools.
  • ... illustrate detection coverage provided and highlight coverage gaps as goals to fill.
  • ... eliminate or add additional layers of coverage based on organizational needs.
  • Ensure proper logs are generated and recorded for sufficient detection, investigation, and compliance.

Preparation, Prerequisites, etc.

Without covering the basics, there isn't much point in having a SIEM. Harden your environment and configure appropriate auditing on all endpoints.

Hardening

Detection Tactics

To detect an attacker, one must be equipped with the necessary logs to reveal their activities. Here we use a matrix to map detection tactics to attacker tactics (Mitre ATT&CK).

Detection Methods

Once necessary logs are collected (detection tactics), use various methods to reveal anomalous, suspicious, and malicious activity.

Detection Use Cases

Use Cases provide a means to document solutions for many reasons including tracking work, uniform response, content recreation, metrics & reporting, making informed decisions, avoiding work duplication, and more.

Data Enrichment

These efforts can provide significant benefits to some ingested logs. Typically enrichment will result in either adding a new field to events or a lookup table for use in filtering or filling in a field.

Lab

Set up a lab with a Windows system, a SIEM, and an attacking system to aid in detection research and development.

TODO

  • Add Use Case Examples
  • Add Threat Hunts Library
  • Add an object oriented, relational database approach to recording and associating all elements to one another - cases, adversaries, techniques, mitigations, detections, hunts, log sources, etc.

About

SIEM Tactics, Techiques, and Procedures

Topics

security monitor log analysis red blue scan threat forensics response purple baseline threat-hunting hunt recon team siem soc incident triage

Resources

Readme

License

GPL-3.0 license
Activity

Stars

582 stars

Watchers

32 watching

Forks

102 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages