Home

Awesome

These resources are intended to guide a SIEM team to...

Preparation, Prerequisites, etc.

Without covering the basics, there isn't much point in having a SIEM. Harden your environment and configure appropriate auditing on all endpoints.

Hardening

Detection Tactics

To detect an attacker, one must be equipped with the necessary logs to reveal their activities. Here we use a matrix to map detection tactics to attacker tactics (Mitre ATT&CK).

Detection Methods

Once necessary logs are collected (detection tactics), use various methods to reveal anomalous, suspicious, and malicious activity.

Detection Use Cases

Use Cases provide a means to document solutions for many reasons including tracking work, uniform response, content recreation, metrics & reporting, making informed decisions, avoiding work duplication, and more.

Data Enrichment

These efforts can provide significant benefits to some ingested logs. Typically enrichment will result in either adding a new field to events or a lookup table for use in filtering or filling in a field.

Lab

Set up a lab with a Windows system, a SIEM, and an attacking system to aid in detection research and development.

TODO