Listen to this Post
This document is designed to help cybersecurity analysts, threat hunters, and SOC teams enhance their detection capabilities using alerts that reflect modern-day threats. Each entry includes:
– Detection logic (KQL-ready where applicable)
– MITRE ATT&CK mappings
– Log examples
– Recommended response actions
Compatible with platforms like Microsoft Sentinel, Splunk, QRadar, and others, this workbook supports daily operations and improves alert tuning.
You Should Know:
1. KQL (Kusto Query Language) for SIEM Detection
KQL is essential for querying logs in Microsoft Sentinel. Below are practical examples:
// Detect multiple failed login attempts (Brute Force) SecurityEvent | where EventID == 4625 | summarize FailedAttempts = count() by Account, IPAddress | where FailedAttempts > 5 | project Account, IPAddress, FailedAttempts
// Detect unusual process execution (MITRE T1059) SecurityEvent | where EventID == 4688 | where ProcessCommandLine contains "powershell -nop -exec bypass" | project TimeGenerated, Account, ProcessCommandLine
2. Splunk SPL for Threat Hunting
For Splunk users, leverage these SPL queries:
index=winlogs EventCode=4625 | stats count by user, src_ip | where count > 5 | table user, src_ip, count
index=sysmon EventID=1 | search "CommandLine= -enc " | table _time, CommandLine, ParentProcess
3. Linux Command-Line Log Analysis
Use these commands to analyze logs in Linux-based SIEMs:
Check SSH brute-force attempts
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr
Monitor suspicious cron jobs
cat /var/log/cron.log | grep "CMD" | grep -v "root"
4. Windows Event IDs for SOC Analysts
Critical Windows Event IDs to monitor:
- 4625: Failed login
- 4688: New process creation
- 4104: PowerShell script block logging
- 7045: Service installation (Persistence)
Extract logs via PowerShell:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 10 | Format-Table -Wrap
5. MITRE ATT&CK Mappings
- T1110: Brute Force (Alert on EventID 4625)
- T1059: Command-Line Interface (Monitor suspicious cmd/powershell)
- T1543: Create/Modify System Process (Check unexpected services)
What Undercode Say:
SIEM alert tuning requires continuous refinement. Use Sigma rules for cross-platform detection:
title: Suspicious PowerShell Execution description: Detects obfuscated PowerShell commands logsource: product: windows service: sysmon detection: selection: EventID: 1 CommandLine: - " -enc " - " -e " condition: selection
For QRadar, use AQL:
SELECT DATEFORMAT(starttime,'yyyy-MM-dd HH:mm:ss') as Time, username, sourceIP FROM events WHERE LOGSOURCENAME(logsourceid) LIKE 'Windows' AND eventid=4625 GROUP BY sourceIP, username HAVING COUNT() > 5
Expected Output:
- Refined SIEM alerts with reduced false positives.
- Faster incident response using optimized queries.
- Improved threat detection coverage via MITRE mappings.
Relevant URLs:
References:
Reported By: Izzmier 2025 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
