Need help with SIEM?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

TonyPhipps
196 Stars 41 Forks GNU General Public License v3.0 328 Commits 1 Opened issues

Description

SIEM Tactics, Techiques, and Procedures

Services available

!
?

Need anything else?

Contributors list

# 86,979
baselin...
soc
270 commits
# 1,780
Azure
Groovy
opensta...
SQL
2 commits
# 75,084
elastic...
Ruby
ansible...
Ansible
1 commit

These resources are intended to guide a SIEM team to... * ... develop a workflow for content creation (and retirement) in the SIEM and other security tools. * ... illustrate detection coverage provided and highlight coverage gaps as goals to fill. * ... eliminate or add additional layers of coverage based on organizational needs. * Ensure proper logs are generated and recorded for sufficient detection, investigation, and compliance.

Detection Prerequisites

Without covering the basics, there isn't much point in having a SIEM. Harden your environment and configure appropriate auditing on all endpoints.

Hardening

Detection Tactics

To detect an attacker, one must be equipped with the necessary logs to reveal their activities. Here we use a matrix to map detection tactics to attacker tactics (Mitre ATT&CK).

Detection Methods

Once necessary logs are collected (detection tactics), use various methods to reveal anomalous, suspicious, and malicious activity.

Detection Use Cases

Use Cases provide a means to document solutions for many reasons including tracking work, uniform response, content recreation, metrics & reporting, making informed decisions, avoiding work duplication, and more.

Data Enrichment

These efforts can provide significant benefits to some ingested logs. Typically enrichment will result in either adding a new field to events or a lookup table for use in filtering or filling in a field.

Metrics

Metrics requiring fields, queries, and manual work. This section also suggests which ticketing system and form fields are recommended to allow proper recording/reporting of metrics.

Lab

Set up a lab with a Windows system, a SIEM, and an attacking system to aid in detection research and development.

TODO

  • [ ] Add Use Case Leads per "tactic" (type of event log)
  • [ ] Add Use Case Examples
  • [ ] Add Isolation sources per OS/software/etc

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.