This dashboard helps you create, verify, and review your SIEM and SOAR configurations by providing information on detections, responses, and tests for specific groups and/or keywords.
Pulls data from MITRE ATT&CK, MITRE D3FEND, Sigma, Guardsights Cyber Incident Response Playbook Battle Cards, and the Atomic Red Team Atomics and maps it to MITRE ATT&CK techniques.
Uses keywords and/or groups with AND/OR logic to refine searches related to attack techniques.
You can also combine (AND, OR) keywords with groups for your search.
Here is how the framework helps an Elastic Stack detect a potential persistence attempt using the Registry Run Keys / Startup Folder technique:
If you know that the APT18 and APT28 hacker groups could potentially attack your organisation because you work for the government (e.g. BSI information), you could check for specific MITRE ATT&CK techniques that could be related to these two groups.
Your starting point could be any of the techniques.
winlog.event_data.CommandLine : *reg* and winlog.event_data.CommandLine : *ADD* and winlog.event_data.CommandLine : *SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*
A PowerShell command was executed on a Windows Server 2019 to add a registry key: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REGSZ /F /D "#{commandto_execute}"
The SIEM rule detected this activity and triggered the SOAR response to investigate and mitigate the potential threat.
If you have any problems or questions, please contact me by email: