KARIM ASHRAF SPACE.
  • Who Am I ?
  • WRITEUPS
    • What about Practice in Cyber Security?
    • Dark Side of VSCode
    • What about Cy-nix Machine?
    • Cyberdefenders Labs
      • Web Investigation Blue Team Lab
      • Red Stealer Blue Team Lab
      • WebStrike Blue Team Lab
      • BlueSky Ransomware Blue Team Lab
      • PsExec Hunt Blue Team Lab
      • OpenWire Blue Team Lab
      • 3CX Supply Chain Blue Team Lab
      • PoisonedCredentials Lab
      • Reveal Lab
    • Lets Defend
      • Incident Responder Path
        • Cybersecurity Incident Handling Guide
          • Introduction to Incident Handling
          • Incident Handling Steps
          • Preparation
          • Detection and Analysis
          • Containment, Eradication, and Recovery
          • Post-Incident Activity
        • Incident Response on Windows
          • How to Create Incident Response Plan?
          • Incident Response Procedure
          • 3 Important Things
          • Free Tools That Can Be Used
          • Live Memory Analysis
          • Task Scheduler
          • Services
          • Registry Run Keys / Startup Folder
          • Files
          • Checklist
        • Incident Response on Linux
          • How to Create Incident Response Plan?
          • Incident Response Procedure
          • 3 Important Things
          • Users and Groups
          • Processes
          • Files and File System
          • Mounts
          • Network
          • Service
          • Cron Job
          • SSH Authorized Keys
          • Bash_rc & Bash_profile
          • Useful Log Files
        • Hacked Web Server Analysis
          • Introduction to Hacked Web Server Analysis
          • Log Analysis on Web Servers
          • Attacks on Web Servers
          • Attacks Against Web Applications
          • Vulnerabilities on Servers
          • Vulnerabilities in Programming Language
          • Discovering the Web Shell
          • Hacked Web Server Analysis Example
        • Log Analysis with Sysmon
          • Introduction and Set Up of Sysmon
          • Detecting Mimikatz with Sysmon
          • Detecting Pass The Hash with Sysmon
          • Detecting Privilege Escalation with Sysmon
        • Forensic Acquisition and Triage
          • Introduction to Forensics Acquisition and Triage
          • Acquiring Memory Image From Windows and Linux
          • Custom Image Using FTK and Mounting Image for Analysis
          • KAPE Targets for Acquisition
          • KAPE Modules for Triage and Analysis
          • Triage Using FireEye Redline
          • Acquisition and Triage of Disks Using Autopsy
        • Memory Forensics
          • What is Memory Forensics
          • Memory Analysis Procedures
        • Registry Forensics
          • Introduction to Windows Registry Forensics
          • Acquiring Registry Hives
          • Regedit and Registry Explorer
          • System, Users and Network Information
          • Shellbags
          • Shimcache
          • Amcache
          • Recent Files
          • Dialogue Boxes MRU
        • Event Log Analysis
          • Introduction to Event Logs
          • Event Log Analysis
          • Authentication Event Logs
          • Windows Scheduled Tasks Event Logs
          • Windows Services Event Logs
          • Account Management Events
          • Event Log Manipulation
          • Windows Firewall Event Logs
          • Windows Defender Event Logs
          • Powershell Command Execution Event logs
        • Browser Forensics
          • Introduction to Browser Forensics
          • Acquisition
          • Browser Artifacts
          • Tool: BrowsingHistoryView
          • Manual Browser Analysis
          • Hindsight Framework
        • GTFOBins
          • Introduction to GTFOBins
          • Shell
          • Command
          • Reverse Shell
          • Bind Shell
          • File Upload
          • File Download
          • Sudo
        • Hunting AD Attacks
          • Introduction to Active Directory
          • Hunting AS-REP Roasting Attack
          • Hunting for Kerberoasting Attacks
          • Hunting for LDAP Enumerations (Bloodhound_Sharphound)
          • Hunting for NTDS Database Dumping
          • Hunting for Golden Ticket Attacks
          • Hunting for NTLM Relay Attacks
        • Writing a Report on Security Incident
          • Introduction to Technical Writing
          • Reporting Standards
          • Reporting Style
          • Report Formatting
          • Report Templates
        • How to Prepare a Cyber Crisis Management Pla
          • Introduction to Crisis Management
          • General Preparation
          • Tools
          • Backups
          • Alerts and End of Crisis
        • Advanced Event Log Analysis
          • Process Creation
          • DNS Activity
          • File/Folder Monitoring
          • BITS Client Event Log
          • Network Connections Event Log
          • MSI Event Logs
        • USB Forensics
          • Introduction to USB Forensics
          • USB Registry Key
          • USB Event Logs
          • Folder Access Analysis via Shellbags
          • File Access Analysis via Jumplists
          • Automated USB Parsers Tools
        • Windows Disk Forensics
          • SRUM Database
          • Jumplists
          • Recycle Bin Artifacts
          • RDP Cache
          • Thumbnail Cache
    • BTLO LABS
      • Bruteforce BTLO
    • The Complete Active Directory Security Handbook
      • Introduction
      • Active Directory
      • Attack Technique 1: Pass the Hash: Use of Alternate Authentication Material (T1550)
      • Attack Technique 2: Pass the Ticket: Use of Alternate Authentication Material (T1550)
      • Attack Technique 3: Kerberoasting
      • Attack Technique 4: Golden Ticket Attack
      • Attack Technique 5: DCShadow Attack
      • Attack Technique 6: AS-REP Roasting
      • Attack Technique 7: LDAP Injection Attack
      • Attack Technique 8: PetitPotam NTLM Relay Attack on a Active Directory Certificate Services (AD CS)
      • Conclusion & References
    • Windows Privilege Escalation
      • Tools
      • Windows Version and Configuration
      • User Enumeration
      • Network Enumeration
      • Antivirus Enumeration
      • Default Writeable Folders
      • EoP - Looting for passwords
      • EoP - Incorrect permissions in services
      • EoP - Windows Subsystem for Linux (WSL)
      • EoP - Unquoted Service Paths
      • EoP - $PATH Interception
      • EoP - Named Pipes
      • EoP - Kernel Exploitation
      • EoP - AlwaysInstallElevated
      • EoP - Insecure GUI apps
      • EoP - Evaluating Vulnerable Drivers
      • EoP - Printers
      • EoP - Runas
      • EoP - Abusing Shadow Copies
      • EoP - From local administrator to NT SYSTEM
      • EoP - Living Off The Land Binaries and Scripts
      • EoP - Impersonation Privileges
      • EoP - Privileged File Write
      • References
      • Practical Labs
    • Advanced Log Analysis
      • Key Windows Event IDs for Cybersecurity Monitoring
      • Analyzing a Series of Failed Login Attempts from Multiple IP Addresses
      • Steps to Investigate Suspicious Outbound Network Traffic
      • Identifying and Responding to Lateral Movement within a Network
      • Distinguishing Between Legitimate and Malicious PowerShell Executions
      • Detecting and Analyzing a Potential Data Exfiltration Incident Using Log Data
      • Steps to Analyze PowerShell Logging (Event ID 4104) for Malicious Activity
      • How to Identify an Internal Pivot Attack Using Log Data
      • Indicators in Logs Suggesting a Privilege Escalation Attack
      • How to Detect Command and Control (C2) Communication Using Log Analysis
      • How to Analyze Logs to Detect a Brute-Force Attack on an RDP Service
      • How to Analyze Logs to Detect a Brute-Force Attack on an RDP Service
      • How to Detect the Use of Living-Off-the-Land Binaries (LOLBins) in Logs
      • How to Detect Malware Masquerading as a Legitimate Process Using Log Analysis
      • How to Detect and Analyze Lateral Movement Using Windows Event Logs
      • How to Detect Potential Ransomware Attacks in Their Early Stages Using Log Analysis
      • How to Detect and Analyze Privilege Escalation Using Windows Event Logs
      • How to Detect the Use of Mimikatz or Similar Tools in Log Data
      • How to Detect and Analyze DNS Tunneling Through Log Analysis
      • How to Detect a Pass-the-Hash (PtH) Attack Using Logs
      • How to Detect and Analyze an Attacker’s Use of a Remote Access Trojan (RAT) Using Log Data
      • How to Detect Lateral Movement Using Windows Event Logs
      • How to Detect and Investigate Data Exfiltration Using Logs
      • How to Identify and Analyze an Internal Phishing Campaign Using Email and System Logs
      • How to Detect and Analyze Ransomware Activity Using Logs
      • How to Detect Malicious PowerShell Activity Using Log Analysis
      • How to Detect and Respond to Brute-Force Attacks Using Log Data
      • How to Detect Privilege Escalation Attempts Using Windows Event Logs
      • How to Detect and Analyze Suspicious Domain Name Resolution Requests in DNS Logs
      • How to Detect and Respond to Unauthorized Access to Critical Files
      • How to Detect and Analyze Suspicious PowerShell Command Execution
      • How to Detect and Investigate Account Takeover (ATO) Attempts Using
      • How to Detect and Analyze the Use of Living Off the Land Binaries (LOLBins)
      • How to Detect and Investigate Lateral Movement
      • How to Detect and Investigate Data Exfiltration
      • How to Detect and Analyze Suspicious Activity Involving Service Accounts
      • How to Detect and Investigate Anomalous PowerShell Activity Related to Credential Dumping
      • How to Detect and Analyze the Execution of Unsigned or Malicious Executables
      • How to Detect and Investigate Abnormal Spikes in Network Traffic
    • Methods for Stealing Password in Browser
      • Important Tables and Columns
      • Important Queries
      • Profiles
      • Tools
        • HackBrowserData
        • Browser-password-stealer
        • BrowserPass
        • WebBrowserPassView
        • Infornito
        • Hindsight
        • BrowserFreak
        • BrowserStealer
    • Hack The Box Tracks
      • Soc Analyst Path 2024
        • 1. Incident Handling Process
          • Incident Handling Definition & Scope
          • Incident Handling's Value & Generic Notes
          • Cyber Kill Chain
          • Incident Handling Process Overview
          • Preparation Stage (Part 1)
          • Preparation Stage (Part 2)
          • DMARC
          • Endpoint Hardening (& EDR)
          • Network Protection
          • Privilege Identity Management / MFA / Passwords
          • Vulnerability Scanning
          • User Awareness Training
          • Active Directory Security Assessment
          • Purple Team Exercises
          • Detection & Analysis Stage (Part 1)
          • Initial Investigation
          • Incident Severity & Extent Questions
          • Incident Confidentiality & Communication
          • Detection & Analysis Stage (Part 2)
          • The Investigation
          • Initial Investigation Data
          • Creation & Usage Of IOCs
          • Identification Of New Leads & Impacted Systems
          • Data Collection & Analysis From The New Leads & Impacted Systems
          • Containment
          • Eradication
          • Recovery
          • Post-Incident Activity Stage
          • Reporting
        • 2. Security Monitoring & SIEM Fundamentals
          • What Is SIEM?
          • The Evolution Of SIEM And How It Works
          • SIEM Business Requirements & Use Cases Log Aggregation & Normalization
          • Data Flows Within A SIEM
          • What Are The Benefits Of Using A SIEM Solution
          • What Is the Elastic Stack?
          • The Elastic Stack As A SIEM Solution
          • How To Identify The Available Data
          • The Elastic Common Schema (ECS)
          • SOC Definition & Fundamentals
          • Evolution of Security Operations Centers (SOCs)
          • What Is MITRE ATT&CK?
          • What Is A SIEM Use Case?
          • How To Build SIEM Use Cases
          • SIEM Visualization Example 1: Failed Logon Attempts (All Users)
          • SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)
          • SIEM Visualization Example 3: Successful RDP Logon Related To Service Accounts
          • SIEM Visualization Example 4: Users Added or Removed from a Local Group
          • What Is Alert Triaging?
  • COURSES SUMMARY
    • TCM SEC
      • TCM linux Privilege Escalation
      • TCM OSINT
    • The SecOps Group
      • Certified AppSec Practitioner exam
      • CNSP Review
    • Cybrary
      • Cybrary Offensive Pentesting
  • TIPS&TRICKS
    • Windows Shorcuts Arrow Remover
    • Kali KEX
    • Intel TurboBoost
    • Pentest_Copilot
    • Ferdium
    • Youtube Adblock_Bybass
    • Burb-Bambdas
    • Burb Customizer
    • BetterFox
Powered by GitBook
On this page
  • Step 1: Comprehend Needs, Risks, and Monitoring Requirements
  • Step 2: Determine Priority, Impact, and Map to MITRE ATT&CK
  • Step 3: Define Time to Detection (TTD) and Time to Response (TTR)
  • Step 4: Create a Standard Operating Procedure (SOP)
  • Step 5: Outline the Process for Refining Alerts
  • Step 6: Develop an Incident Response Plan (IRP)
  • Step 7: Set SLAs and OLAs
  • Step 8: Implement and Maintain an Audit Process
  • Step 9: Create Documentation
  1. WRITEUPS
  2. Hack The Box Tracks
  3. Soc Analyst Path 2024
  4. 2. Security Monitoring & SIEM Fundamentals

How To Build SIEM Use Cases

Building effective SIEM use cases requires a structured and methodical approach. Below is a step-by-step guide to developing SIEM use cases, along with practical examples using the Elastic Stack as a SIEM solution.

Step 1: Comprehend Needs, Risks, and Monitoring Requirements

  • Objective: Understand the organization's security risks and define what needs to be monitored.

  • Actions:

    • Identify critical assets (e.g., servers, endpoints, applications).

    • Determine potential threats and attack vectors.

    • Establish alerts for monitoring all necessary systems.

  • Example:

    • Risk: Attackers may exploit MSBuild (a legitimate Windows tool) to execute malicious code.

    • Monitoring Requirement: Detect when MSBuild is invoked by suspicious parent processes like Microsoft Office applications (e.g., Word or Excel).

Step 2: Determine Priority, Impact, and Map to MITRE ATT&CK

  • Objective: Assign severity levels and map the use case to the MITRE ATT&CK framework or the Cyber Kill Chain.

  • Actions:

    • Assess the risk level (High, Medium, Low) based on the potential impact.

    • Map the use case to specific tactics and techniques in the MITRE ATT&CK framework.

  • Example 1 (MSBuild Started by an Office Application):

    • Priority: HIGH (due to the significant risk of Living-off-the-Land Binaries (LoLBins)).

    • MITRE Mapping:

      • Tactic: Defense Evasion (TA0005)

      • Technique: Trusted Developer Utilities Proxy Execution (T1127)

      • Sub-technique: Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001)

      • Tactic: Execution (TA0002)

Step 3: Define Time to Detection (TTD) and Time to Response (TTR)

  • Objective: Set expectations for how quickly alerts should be detected and responded to.

  • Actions:

    • Define the rule execution interval (e.g., every 5 minutes).

    • Monitor logs and ensure timely ingestion into the SIEM.

  • Example:

    • Rule Execution Interval: Every 5 minutes.

    • TTD: Detect suspicious MSBuild activity within 5 minutes of log ingestion.

    • TTR: Respond to alerts within 30 minutes of detection.

Step 4: Create a Standard Operating Procedure (SOP)

  • Objective: Document the steps analysts must follow when handling alerts.

  • Actions:

    • Define the investigation process.

    • Specify escalation procedures and teams to involve.

  • Example:

    • Alert Details:

      • process.name: msbuild.exe

      • process.parent.name: WINWORD.EXE or EXCEL.EXE

      • event.action: Process creation

      • Machine and user details where the alert was triggered.

    • Investigation Steps:

      1. Analyze system logs, antivirus logs, and proxy logs for context.

      2. Review user activity (+/- 2 days around the alert).

      3. Engage with the user to verify legitimacy.

    • Escalation Matrix: Escalate to the Incident Response team if malicious activity is confirmed.

Step 5: Outline the Process for Refining Alerts

  • Objective: Continuously improve the accuracy and effectiveness of alerts.

  • Actions:

    • Identify and address false positives.

    • Update rules to exclude legitimate scenarios.

  • Example:

    • Exclude legitimate parent processes (e.g., Visual Studio) from triggering alerts.

    • Fine-tune rules based on feedback from SOC analysts.

Step 6: Develop an Incident Response Plan (IRP)

  • Objective: Define how true positive incidents will be handled.

  • Actions:

    • Include containment, eradication, and recovery steps.

    • Ensure alignment with SLAs and OLAs.

  • Example:

    • Containment: Block the source IP or isolate the affected machine.

    • Eradication: Remove malicious files and terminate suspicious processes.

    • Recovery: Restore affected systems and monitor for recurrence.

Step 7: Set SLAs and OLAs

  • Objective: Establish agreements between teams for handling alerts and incidents.

  • Actions:

    • Define response timeframes for different alert severities.

    • Ensure collaboration between SOC, IT, and other teams.

  • Example:

    • HIGH Severity: Respond within 30 minutes.

    • MEDIUM Severity: Respond within 2 hours.

    • LOW Severity: Respond within 24 hours.

Step 8: Implement and Maintain an Audit Process

  • Objective: Ensure accountability and continuous improvement.

  • Actions:

    • Regularly review logging status and alert triggers.

    • Document lessons learned from incidents.

  • Example:

    • Audit logs to confirm that all machines are logging process creation events.

    • Review alert frequency and adjust thresholds to reduce noise.

Step 9: Create Documentation

  • Objective: Maintain a knowledge base for reference and updates.

  • Actions:

    • Document the basis for creating alerts and their triggering frequency.

    • Include troubleshooting tips and fine-tuning recommendations.

  • Example:

    • Knowledge Base Entry:

      • Use Case: Detect MSBuild started by Office applications.

      • Trigger Condition: process.parent.name = WINWORD.EXE or EXCEL.EXE, process.name = msbuild.exe.

      • Frequency: Rare under normal circumstances.

Practical Examples

Example 1: MSBuild Started by an Office Application

  • Scenario: Detect when MSBuild is invoked by Microsoft Office applications, which could indicate malicious script execution.

  • Rule:

    process.name: msbuild.exe AND process.parent.name: (WINWORD.EXE OR EXCEL.EXE)

  • MITRE Mapping:

    • Tactic: Defense Evasion (TA0005), Execution (TA0002)

    • Technique: Trusted Developer Utilities Proxy Execution (T1127)

    • Sub-technique: Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001)

  • Severity: HIGH

  • SOP:

    • Investigate process creation events.

    • Analyze logs for malicious activity.

    • Escalate to the Incident Response team if confirmed.

Example 2: MSBuild Making Network Connections

  • Scenario: Detect when MSBuild establishes outbound connections, which could indicate adversarial activity.

  • Rule:

    process.name: msbuild.exe AND network.direction: outbound

  • MITRE Mapping:

    • Tactic: Execution (TA0002)

    • Technique: Command and Scripting Interpreter (T1059)

  • Severity: MEDIUM

  • SOP:

    • Investigate the destination IP address.

    • Check the reputation of the IP using threat intelligence feeds.

    • Exclude legitimate IPs (e.g., Microsoft update servers) to reduce false positives.

Conclusion

Building SIEM use cases involves a combination of understanding organizational risks, mapping to frameworks like MITRE ATT&CK, and defining clear processes for detection, response, and refinement. By following a structured lifecycle and leveraging tools like the Elastic Stack, organizations can create robust use cases that enhance their security posture.

Key takeaways:

  1. Understand Risks: Focus on high-priority threats and critical assets.

  2. Map to Frameworks: Use MITRE ATT&CK to align use cases with known adversary behaviors.

  3. Define Metrics: Set TTD and TTR to measure effectiveness.

  4. Document Processes: Create SOPs and IRPs to ensure consistency.

  5. Refine Continuously: Address false positives and adapt to evolving threats.

PreviousWhat Is A SIEM Use Case?NextSIEM Visualization Example 1: Failed Logon Attempts (All Users)

Last updated 14 days ago