GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → TonyPhipps → Siem

TonyPhipps / Siem

Licence: gpl-3.0
SIEM Tactics, Techiques, and Procedures

Labels

securityanalysismonitorlogreconforensicsthreat-huntingscanresponsesiembaselinethreat

Projects that are alternatives of or similar to Siem

Meerkat
A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints.
Stars: ✭ 284 (+80.89%)
Mutual labels:  analysis, baseline, response, monitor, log, recon, forensics, threat-hunting, scan, siem, threat
WELA
WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! ゑ羅(ウェラ)
Stars: ✭ 442 (+181.53%)
Mutual labels:  log, analysis, threat, forensics, response
siemstress
Very basic CLI SIEM (Security Information and Event Management system).
Stars: ✭ 24 (-84.71%)
Mutual labels:  log, forensics, siem
LogESP
Open Source SIEM (Security Information and Event Management system).
Stars: ✭ 162 (+3.18%)
Mutual labels:  log, forensics, siem
Teler
Real-time HTTP Intrusion Detection
Stars: ✭ 1,248 (+694.9%)
Mutual labels:  log, threat-hunting, threat
hayabusa
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
Stars: ✭ 908 (+478.34%)
Mutual labels:  threat, forensics, response
Attackdatamap
A datasource assessment on an event level to show potential coverage or the MITRE ATT&CK framework
Stars: ✭ 264 (+68.15%)
Mutual labels:  threat-hunting, siem
Baize
白泽自动化运维系统:配置管理、网络探测、资产管理、业务管理、CMDB、CD、DevOps、作业编排、任务编排等功能,未来将添加监控、报警、日志分析、大数据分析等部分内容
Stars: ✭ 296 (+88.54%)
Mutual labels:  monitor, log
Security Code Scan
Vulnerability Patterns Detector for C# and VB.NET
Stars: ✭ 550 (+250.32%)
Mutual labels:  analysis, scan
Build
TeaWeb-可视化的Web代理服务。DEMO: http://teaos.cn:7777
Stars: ✭ 656 (+317.83%)
Mutual labels:  monitor, log
detection-rules
Threat Detection & Anomaly Detection rules for popular open-source components
Stars: ✭ 34 (-78.34%)
Mutual labels:  threat-hunting, siem
Grassmarlin
Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber
Stars: ✭ 621 (+295.54%)
Mutual labels:  analysis, monitor
Cortex
Cortex: a Powerful Observable Analysis and Active Response Engine
Stars: ✭ 676 (+330.57%)
Mutual labels:  analysis, response
blue-teaming-with-kql
Repository with Sample KQL Query examples for Threat Hunting
Stars: ✭ 102 (-35.03%)
Mutual labels:  threat-hunting, siem
ir scripts
incident response scripts
Stars: ✭ 17 (-89.17%)
Mutual labels:  forensics, threat-hunting
Uavstack
UAVStack Open Source All in One Repository
Stars: ✭ 648 (+312.74%)
Mutual labels:  monitor, log
Patrowlhears
PatrowlHears - Vulnerability Intelligence Center / Exploits
Stars: ✭ 89 (-43.31%)
Mutual labels:  threat-hunting, threat
Rita
Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Stars: ✭ 1,352 (+761.15%)
Mutual labels:  analysis, threat
Timesketch
Collaborative forensic timeline analysis
Stars: ✭ 1,795 (+1043.31%)
Mutual labels:  analysis, forensics
smram parse
System Management RAM analysis tool
Stars: ✭ 50 (-68.15%)
Mutual labels:  analysis, forensics
View All Similar Projects ➔

These resources are intended to guide a SIEM team to...

  • ... develop a workflow for content creation (and retirement) in the SIEM and other security tools.
  • ... illustrate detection coverage provided and highlight coverage gaps as goals to fill.
  • ... eliminate or add additional layers of coverage based on organizational needs.
  • Ensure proper logs are generated and recorded for sufficient detection, investigation, and compliance.

Detection Prerequisites

Without covering the basics, there isn't much point in having a SIEM. Harden your environment and configure appropriate auditing on all endpoints.

Hardening

Detection Tactics

To detect an attacker, one must be equipped with the necessary logs to reveal their activities. Here we use a matrix to map detection tactics to attacker tactics (Mitre ATT&CK).

Detection Methods

Once necessary logs are collected (detection tactics), use various methods to reveal anomalous, suspicious, and malicious activity.

Detection Use Cases

Use Cases provide a means to document solutions for many reasons including tracking work, uniform response, content recreation, metrics & reporting, making informed decisions, avoiding work duplication, and more.

Data Enrichment

These efforts can provide significant benefits to some ingested logs. Typically enrichment will result in either adding a new field to events or a lookup table for use in filtering or filling in a field.

Metrics

Metrics requiring fields, queries, and manual work. This section also suggests which ticketing system and form fields are recommended to allow proper recording/reporting of metrics.

Lab

Set up a lab with a Windows system, a SIEM, and an attacking system to aid in detection research and development.

TODO

  • [ ] Add Use Case Leads per "tactic" (type of event log)
  • [ ] Add Use Case Examples
  • [ ] Add Isolation sources per OS/software/etc
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].