SIEM

These resources are intended to guide a SIEM team to…

• … develop a workflow for content creation (and retirement) in the SIEM and other security tools.
• … illustrate detection coverage provided and highlight coverage gaps as goals to fill.
• … eliminate or add additional layers of coverage based on organizational needs.
• Ensure proper logs are generated and recorded for sufficient detection, investigation, and compliance.

Preparation, Prerequisites, etc.

Without covering the basics, there isn’t much point in having a SIEM. Harden your environment and configure appropriate auditing on all endpoints.

• Preparation
• Incident Response Policy Sample
• RSS Feeds, Subscriptions, etc
• Logging
• Notable Event IDs - Sigma
• Notable Event IDs - Risk
• Notable Event IDs - Forensics
• IR Tool & Resources
• Incident Tracking
• Metrics
• Attacker Tools

Hardening

• DNS Security
• Email Security
• General Security
• Microsoft 365
  • Auditing and Reporting
  • Azure AD
  • Exchange
  • SharePoint and OneDrive
  • Teams
• Microsoft Active Directory
• Microsoft Windows DNS
• Microsoft Windows
• Network
• Remote Access
• Software Manufacturers
• Web Security

Detection and Compliance Matrix

A Detection and Complianace Matrix is an object oriented, relational database approach to recording and associating all elements to one another - cases, adversaries, techniques, mitigations, detections, hunts, log sources, etc.

• Detection Tactics To detect an attacker, one must be equipped with the necessary logs to reveal their activities. Here we use a matrix to map detection tactics to attacker tactics (Mitre ATT&CK).

• Detection Methods Once necessary logs are collected (detection tactics), use various methods to reveal anomalous, suspicious, and malicious activity.

• Playbooks Playbooks provide a means to document solutions for many reasons including tracking work, uniform response, content recreation, metrics & reporting, making informed decisions, avoiding work duplication, and more.

• Playbook Structure
• Signature Structure

Data Enrichment

These efforts can provide significant benefits to some ingested logs. Typically enrichment will result in either adding a new field to events or a lookup table for use in filtering or filling in a field.

• GeoIP/ASN Lookup
• Levenshtein Distance
• Shannon Entropy Scores
• String Lengths
• Top 1 Million Domains
• WHOIS Caching
• DNS Lookup
• Reverse-DNS Lookup
• Certificate Parsing
• O365 Principal App IDs
• Windows Logon Type Lookups
• Windows Status Code Lookups

Lab

Set up a lab with a Windows system, a SIEM, and an attacking system to aid in detection research and development.

TODO

• Add Threat Hunts Library

This site is open source. Improve this page.