Siem
| Project Name | Stars | Downloads | Repos Using This | Packages Using This | Most Recent Commit | Total Releases | Latest Release | Open Issues | License | Language |
|---|---|---|---|---|---|---|---|---|---|---|
| Trivy | 19,407 | 56 | a day ago | 204 | November 06, 2023 | 198 | apache-2.0 | Go | ||
| Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more | ||||||||||
| Nuclei | 15,502 | 10 | a day ago | 381 | September 16, 2023 | 195 | mit | Go | ||
| Fast and customizable vulnerability scanner based on simple YAML based DSL. | ||||||||||
| Bettercap | 14,791 | 24 days ago | 61 | April 21, 2021 | 169 | other | Go | |||
| The Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and MITM attacks. | ||||||||||
| Trufflehog | 12,756 |  | 6 | 6 | 4 days ago | 42 | April 28, 2021 | 188 | agpl-3.0 | Go |
| Find and verify credentials | ||||||||||
| Routersploit | 11,548 | 14 days ago | 108 | other | Python | |||||
| Exploitation Framework for Embedded Devices | ||||||||||
| Rustscan | 11,148 |  | 1 | 3 months ago | 18 | November 07, 2022 | 128 | gpl-3.0 | Rust | |
| 🤖 The Modern Port Scanner 🤖 | ||||||||||
| Dirsearch | 10,552 | 6 days ago | 8 | October 03, 2022 | 60 | Python | ||||
| Web path scanner | ||||||||||
| Awesome Security | 10,497 | 18 days ago | 16 | mit | ||||||
| A collection of awesome software, libraries, documents, books, resources and cools stuffs about security. | ||||||||||
| Vuls | 10,386 | 3 days ago | 162 | November 20, 2023 | 79 | gpl-3.0 | Go | |||
| Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices | ||||||||||
| Tsunami Security Scanner | 7,940 | 4 | 2 months ago | 18 | July 25, 2023 | 41 | apache-2.0 | Java | ||
| Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence. | ||||||||||
These resources are intended to guide a SIEM team to...
- ... develop a workflow for content creation (and retirement) in the SIEM and other security tools.
- ... illustrate detection coverage provided and highlight coverage gaps as goals to fill.
- ... eliminate or add additional layers of coverage based on organizational needs.
- Ensure proper logs are generated and recorded for sufficient detection, investigation, and compliance.
Preparation, Prerequisites, etc.
Without covering the basics, there isn't much point in having a SIEM. Harden your environment and configure appropriate auditing on all endpoints.
- Preparation
- Incident Response Policy Sample
- RSS Feeds
- Email Subscriptions
- Logging
- Notable Event IDs
- IR Tool & Resoures
- Incident Tracking
- Metrics
- After Action Review
- Attacker Tools
Hardening
Detection Tactics
To detect an attacker, one must be equipped with the necessary logs to reveal their activities. Here we use a matrix to map detection tactics to attacker tactics (Mitre ATT&CK).
Detection Methods
Once necessary logs are collected (detection tactics), use various methods to reveal anomalous, suspicious, and malicious activity.
Detection Use Cases
Use Cases provide a means to document solutions for many reasons including tracking work, uniform response, content recreation, metrics & reporting, making informed decisions, avoiding work duplication, and more.
Data Enrichment
These efforts can provide significant benefits to some ingested logs. Typically enrichment will result in either adding a new field to events or a lookup table for use in filtering or filling in a field.
- GeoIP/ASN Lookup
- Levenshtein Distance
- Shannon Entropy Scores
- String Lengths
- Top 1 Million Domains
- WHOIS Caching
- DNS Lookup
- Reverse-DNS Lookup
- Certificate Parsing
- O365 Principal App IDs
- Windows Logon Type Lookups
- Windows Status Code Lookups
Lab
Set up a lab with a Windows system, a SIEM, and an attacking system to aid in detection research and development.
TODO
- [ ] Add Use Case Examples
- [ ] Add Threat Hunts Library
- [ ] Add an object oriented, relational database approach to recording and associating all elements to one another - cases, adversaries, techniques, mitigations, detections, hunts, log sources, etc.
