{"id":13625199,"url":"https://github.com/TonyPhipps/SIEM","last_synced_at":"2025-04-16T06:32:05.715Z","repository":{"id":48074662,"uuid":"143320862","full_name":"TonyPhipps/SIEM","owner":"TonyPhipps","description":"SIEM Tactics, Techiques, and Procedures","archived":false,"fork":false,"pushed_at":"2024-10-18T16:30:10.000Z","size":1382,"stargazers_count":580,"open_issues_count":1,"forks_count":101,"subscribers_count":32,"default_branch":"master","last_synced_at":"2024-10-18T17:03:24.102Z","etag":null,"topics":["analysis","baseline","blue","forensics","hunt","incident","log","monitor","purple","recon","red","response","scan","security","siem","soc","team","threat","threat-hunting","triage"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TonyPhipps.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-02T16:40:34.000Z","updated_at":"2024-10-18T16:30:13.000Z","dependencies_parsed_at":"2023-01-31T07:01:14.377Z","dependency_job_id":"b65b5bfd-aee7-45c5-a1d6-e909cf8cff4f","html_url":"https://github.com/TonyPhipps/SIEM","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TonyPhipps%2FSIEM","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TonyPhipps%2FSIEM/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TonyPhipps%2FSIEM/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TonyPhipps%2FSIEM/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TonyPhipps","download_url":"https://codeload.github.com/TonyPhipps/SIEM/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223700278,"owners_count":17188290,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analysis","baseline","blue","forensics","hunt","incident","log","monitor","purple","recon","red","response","scan","security","siem","soc","team","threat","threat-hunting","triage"],"created_at":"2024-08-01T21:01:52.234Z","updated_at":"2025-04-16T06:32:05.708Z","avatar_url":"https://github.com/TonyPhipps.png","language":"PowerShell","funding_links":[],"categories":["PowerShell","Resources","🛠️ Developer Tools"],"sub_categories":["Event ID configuration and monitoring suggestions"],"readme":"These resources are intended to guide a SIEM team to...\n* ... develop a workflow for content creation (and retirement) in the SIEM and other security tools.\n* ... illustrate detection coverage provided and highlight coverage gaps as goals to fill.\n* ... eliminate or add additional layers of coverage based on organizational needs.\n* Ensure proper logs are generated and recorded for sufficient detection, investigation, and compliance.\n\n# Preparation, Prerequisites, etc.\nWithout covering the basics, there isn't much point in having a SIEM. Harden your environment and configure appropriate auditing on all endpoints.\n- [Preparation](/Preparation.md)\n- [Incident Response Policy Sample](/Policy/Incident-Response-Policy.md)\n- [RSS Feeds, Subscriptions, etc](/osintel.md)\n- [Logging](/Logging.md)\n- [Notable Event IDs](/Notable-Event-IDs.md)\n- [IR Tool \u0026 Resoures](/response-tools-resources.md)\n- [Incident Tracking](/incident-tracking.md)\n- [Metrics](/Metrics.md)\n- [Attacker Tools](/attack-tools-resources.md)\n\n## Hardening\n- [DNS Security](/hardening/dns-security.md)\n- [Email Security](/hardening/email-security.md)\n- [General Security](/hardening/general-security.md)\n- Microsoft 365\n  - [Auditing and Reporting](/hardening/microsoft-365-auditing-and-reporting.md)\n  - [Azure AD](/hardening/microsoft-365-azure-ad.md)\n  - [Exchange](/hardening/microsoft-365-exchange.md)\n  - [SharePoint and OneDrive](/hardening/microsoft-365-sharepoint-and-onedrive.md)\n  - [Teams](/hardening/microsoft-365-teams.md)\n- [Microsoft Active Directory](hardening/microsoft-active-directory.md)\n- [Microsoft Windows DNS](/hardening/microsoft-windows-dns.md)\n- [Microsoft Windows](hardening/microsoft-windows.md)\n- [Network](hardening/network.md)\n- [Remote Access](/hardening/remote-access.md)\n- [Software Manufacturers](/hardening/software-manufacturers.md)\n- [Web Security](/hardening/web-security.md)\n\n\n# [Detection Tactics](/Detection-Tactics.md)\n\nTo detect an attacker, one must be equipped with the necessary logs to reveal their activities. Here we use a matrix to map detection tactics to attacker tactics ([Mitre ATT\u0026CK](https://attack.mitre.org/)).\n\n\n# [Detection Methods](/Detection-Methods.md)\n\nOnce necessary logs are collected (detection tactics), use various methods to reveal anomalous, suspicious, and malicious activity.\n\n\n# Detection Use Cases\n\nUse Cases provide a means to document solutions for many reasons including tracking work, uniform response, content recreation, metrics \u0026 reporting, making informed decisions, avoiding work duplication, and more.\n\n- [Use Case Structure](/Use-Case-Structure.md)\n- [Use Case Review](/Use-Cases.md)\n\n\n# Data Enrichment\n\nThese efforts can provide significant benefits to some ingested logs. Typically enrichment will result in either adding a new field to events or a lookup table for use in filtering or filling in a field.\n\n- GeoIP/ASN Lookup\n- Levenshtein Distance\n- Shannon Entropy Scores\n- String Lengths\n- Top 1 Million Domains\n- WHOIS Caching\n- DNS Lookup\n- Reverse-DNS Lookup\n- Certificate Parsing\n- [O365 Principal App IDs](/Lookups/o365-principalappid.csv)\n- [Windows Logon Type Lookups](/Lookups/windows-logon-type.csv)\n- [Windows Status Code Lookups](/Lookups/windows-status-code.csv)\n\n\n# [Lab](/Lab/WindowsVictim.md)\nSet up a lab with a Windows system, a SIEM, and an attacking system to aid in detection research and development.\n\n\n# TODO\n- [ ] Add Use Case Examples\n- [ ] Add Threat Hunts Library\n- [ ] Add an object oriented, relational database approach to recording and associating all elements to one another - cases, adversaries, techniques, mitigations, detections, hunts, log sources, etc.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTonyPhipps%2FSIEM","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FTonyPhipps%2FSIEM","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTonyPhipps%2FSIEM/lists"}