There are many different products in the market. But arcsight different other vendors. Everytime you can learn new different things when you develop your own correlation rules, dashboards, filters, much many more. Today I want to share with you, specially arcsight has started provides for default contents MITRE ATT&CK. Arcsight marketplace has many different use case, security best practices and content. If you want to weaponized your SIEM, you are at the right place.
Esm Default content includes Security Threat Monitoring package and Threat Intelligence Platform package, It also includes resources for tracking Techniques from the MITRE ATT&CK framework.
Following use cases are covered in this package.
- Botnet Activity
- Dangerous Browsing
- Internal Asset found in Reputation list
- Phishing
- Ransomware
- Suspicious Activity
- Suspicious Dns Query
- Suspicious E-mail
- Suspicious File Hash
- T1192 Spearphishing Link
- T1219 Remote Access Tools
- T1486-Data Encrypted for Impact
Security Threat Monitoring
- Application Monitoring
- Entity Monitoring
- Host Monitoring
- Malware Monitoring
- Network Monitoring
- Perimeter Monitoring
- Vulnerability Monitoring
Following MITRE ATT&CK Techniques are covered as well.
- T1189 Drive By Compromise
- T1190-Exploit Public-Facing Application
- T1098-Account Manipulation
- T1136-Create Account
- T1068-Exploitation for Privilege Escalation
- T1089-Disabling Security Tools
- T1110-Brute Force
- T1075-Pass the Hash
- T1210-Exploitation of Remote Services
- T1483-Domain Generation Algorithms
- T1489-Service Stop
- T1498-Network Denial of Service
You can install this .arb packages easy, but when you install the packages please be careful enable all rules. Check and eliminate false positive events and understand purpose of packages. Then you can customeze with your log types.
Reference:
