Examples of poor executions with detection creation
Creating alerts is part of any security operations center (SOC) team’s responsibilities. That allows them to use Yara, Splunk Processing Language (SPL), Suricata, and so on, whatever language makes sense for the tools that your organization uses. I can also guarantee that anyone who has ever worked in a SOC can relate to having alerts that were created that just generate a large number of false positives and can quickly become tiresome to triage, or that, due to ineffective filtering on alerts, become quite complicated due to having more information than is needed. A few alerts come to mind, but the first one is an alert for periodic beaconing, which can be indicative of an infected system sending a ping out to a C2 server. This alert would/could map to the following techniques in MITRE:
- T1071: Application Layer Protocol
- Web Protocols
- File Transfer Protocols
- Mail Protocols
- DNS
- T1132: Data Encoding
- Standard Encoding
- Non...
