Welcome to SIOR
This dashboard helps you create, verify, and review your SIEM and SOAR configurations by providing information on detections, responses, and tests for specific groups and/or keywords.
Features
Data Integration
Pulls data from MITRE ATT&CK, MITRE D3FEND, Sigma, Guardsights Cyber Incident Response Playbook Battle Cards, and the Atomic Red Team Atomics and maps it to MITRE ATT&CK techniques.
Advanced Search
Uses keywords and/or groups with AND/OR logic to refine searches related to attack techniques.
You can also combine (AND, OR) keywords with groups for your search.
Example Use Case
Here is how the framework helps an Elastic Stack detect a potential persistence attempt using the Registry Run Keys / Startup Folder technique:
Context
If you know that the APT18 and APT28 hacker groups could potentially attack your organisation because you work for the government (e.g. BSI information), you could check for specific MITRE ATT&CK techniques that could be related to these two groups.
Your starting point could be any of the techniques.
SIEM Rule Created
The information from sigma tells us to create a rule that checks events from the command line containing all the given entries.
This results in the following kibana rule:
winlog.event_data.CommandLine : *reg* and winlog.event_data.CommandLine : *ADD* and winlog.event_data.CommandLine : *SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*
SIEM Alert Triggered
A PowerShell command was executed on a Windows Server 2019 to add a registry key: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REGSZ /F /D "#{commandto_execute}"
The SIEM rule detected this activity and triggered the SOAR response to investigate and mitigate the potential threat.
Contact Support
If you have any problems or questions, please contact me by email: