Skip to content

TonyPhipps/SIEM

1 Branch0 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

TonyPhippsTonyPhipps
updates
Feb 24, 2025
7833f19 · Feb 24, 2025

History

421 Commits
Lab
Lab
Dec 4, 2021
Lookups
Lookups
Nov 8, 2020
Policy
Policy
Mar 6, 2024
Signatures/Splunk
Signatures/Splunk
Sep 11, 2024
Splunk/apps/Splunk_TA_paloalto/local
Splunk/apps/Splunk_TA_paloalto/local
Feb 11, 2025
Tactics
Tactics
Aug 28, 2024
UseCases
UseCases
Jan 28, 2020
hardening
hardening
Jan 7, 2025
sigma
sigma
Feb 24, 2025
.gitignore
.gitignore
Apr 27, 2020
Detect.ods
Detect.ods
Dec 8, 2019
Detection-Library-Structure.md
Detection-Library-Structure.md
Oct 22, 2024
Detection-Methods.md
Detection-Methods.md
May 16, 2024
Detection-Tactics.md
Detection-Tactics.md
Jun 7, 2023
LICENSE
LICENSE
Aug 2, 2018
Logging.md
Logging.md
Mar 20, 2023
Metrics.md
Metrics.md
Nov 16, 2021
Notable-Event-IDs.md
Notable-Event-IDs.md
Nov 29, 2023
README.md
README.md
Feb 28, 2024
Threat-Hunting.md
Threat-Hunting.md
May 16, 2024
Use-Case-Structure.md
Use-Case-Structure.md
Feb 24, 2025
Use-Cases.md
Use-Cases.md
Oct 16, 2024
attack-tools-resources.md
attack-tools-resources.md
Aug 29, 2024
dashboards.md
dashboards.md
Mar 20, 2023
field-kit.md
field-kit.md
Apr 3, 2024
incident-tracking.md
incident-tracking.md
Dec 4, 2021
interview-questions.md
interview-questions.md
Aug 21, 2024
mitigation-categories.md
mitigation-categories.md
Oct 17, 2022
osintel.md
osintel.md
Oct 17, 2022
response-tools-resources.md
response-tools-resources.md
Oct 18, 2024
technical-documentation.md
technical-documentation.md
Dec 27, 2023

Repository files navigation

These resources are intended to guide a SIEM team to...

  • ... develop a workflow for content creation (and retirement) in the SIEM and other security tools.
  • ... illustrate detection coverage provided and highlight coverage gaps as goals to fill.
  • ... eliminate or add additional layers of coverage based on organizational needs.
  • Ensure proper logs are generated and recorded for sufficient detection, investigation, and compliance.

Preparation, Prerequisites, etc.

Without covering the basics, there isn't much point in having a SIEM. Harden your environment and configure appropriate auditing on all endpoints.

Hardening

Detection Tactics

To detect an attacker, one must be equipped with the necessary logs to reveal their activities. Here we use a matrix to map detection tactics to attacker tactics (Mitre ATT&CK).

Detection Methods

Once necessary logs are collected (detection tactics), use various methods to reveal anomalous, suspicious, and malicious activity.

Detection Use Cases

Use Cases provide a means to document solutions for many reasons including tracking work, uniform response, content recreation, metrics & reporting, making informed decisions, avoiding work duplication, and more.

Data Enrichment

These efforts can provide significant benefits to some ingested logs. Typically enrichment will result in either adding a new field to events or a lookup table for use in filtering or filling in a field.

Lab

Set up a lab with a Windows system, a SIEM, and an attacking system to aid in detection research and development.

TODO

  • Add Use Case Examples
  • Add Threat Hunts Library
  • Add an object oriented, relational database approach to recording and associating all elements to one another - cases, adversaries, techniques, mitigations, detections, hunts, log sources, etc.

About

SIEM Tactics, Techiques, and Procedures

Topics

security monitor log analysis red blue scan threat forensics response purple baseline threat-hunting hunt recon team siem soc incident triage

Resources

Readme

License

GPL-3.0 license
Activity

Stars

616 stars

Watchers

33 watching

Forks

104 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

Languages