SIEM

See Also: https://attack.mitre.org/datasources/ This MITRE effort came out after my work here, and has surpassed it. I will look for a way to expand/compliment MITRE’s efforts rather than recreate.

ATT&CK Abbreviations Used

Initial Access (IA), Execution (Exe), Persistence (P), Privilege Escalation (PE), Defense Evasion (DE), Credential Access (CA), Discovery (D), Lateral Movement (LM), Collection (C), Exfiltration (Exf), Command and Control (CC)

Detect | ATT&CK Tactics Cross Mapping

Detection Tactic	IA	Exe	P	PE	DE	CA	D	LM	C	Exf	CC
Account Creation	X		X	X	X
Account Logon	X	X	X	X	X			X
Account Modification	X	X	X	X	X	X
API Usage		X	X	X	X		X		X
Application Log
Commandline Activity	X	X	X	X	X	X	X		X	X
Configuration Change			X		X	X	X			X
DLL Load		X	X	X	X		X			X
Domain Replication Request						X
DNS Request
Email Traffic	X	X			X
File Access	X	X	X	X	X	X		X	X	X
File Contents	X	X	X		X
File Creation	X	X	X	X	X			X		X
File Deletion	X		X	X	X			X
File Modification	X		X	X	X			X
File Rename		X	X	X	X			X
Group Access
Group Creation
Group Deletion
Group Modification
Group Rename
Firmware Modification			X		X
Instance Creation
Instance Deletion
Instance Modification
Instance Start
Instance Stop
Log Clearing
MBR VBR Modification			X		X
Named Pipe Connection				X	X
Named Pipe Creation				X	X
Network Activity by Process		X				X	X	X		X	X
Network Activity by IP		X				X	X	X		X
Network File Carving										X
Network Port Opening			X	X				X
Network Full Packet Capture	X
NGAV Alarms
Process Access
Process Execution		X	X	X	X	X	X	X	X	X
Process Hooking			X	X		X
Process Termination		X			X
Registry Entry Access						X	X
Registry Entry Creation		X	X	X	X		X
Registry Entry Deletion		X	X	X	X
Registry Entry Modification		X	X	X	X		X
Scheduled Task		X	X	X
Service Creation		X	X	X	X			X
Service Modification			X	X
SQL Command	X
Web Request	X
Web Server
USB Device Attached	X
WMI Activity		X	X	X			X		X
DNS Request
DHCP Request

Resources

• SANS FOR508
• https://attack.mitre.org/
• https://threathunterplaybook.com/introduction.html
• https://www.elastic.co/guide/en/siem/guide/current/prebuilt-rules.html
• https://github.com/Neo23x0/sigma
• https://github.com/splunk/security_content/tree/develop/detections
• https://github.com/Azure/Azure-Sentinel/tree/master/Detections
• https://lolbas-project.github.io/
• https://docs.rapid7.com/insightidr/windows-suspicious-process/
• http://tajdini.net/blog/forensics-and-security/digital-forensics-and-incident-response/
• https://rules.fluencysecurity.com/
• https://splunkresearch.com/detections/
• https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
• https://ihsansencan.github.io/index.html
• https://www.siemusecases.com/
• https://docs.logpoint.com/docs/alert-rules/en/latest/MITRE.html
• https://github.com/olafhartong/sysmon-modular

This site is open source. Improve this page.