Listen to this Post
Introduction:
A Security Information and Event Management (SIEM) platform that ingests massive log volumes without purpose‑built detection logic is little more than an expensive data lake. Attackers don’t exploit generic vendor rules; they exploit your unique infrastructure, users, and business processes – which is why detection engineering has become the cornerstone of modern SOC operations.
Learning Objectives:
- Understand why custom detection rules tailored to your organization’s risk profile outperform generic SIEM content.
- Learn to build and test detection logic across nine security domains using concrete queries, commands, and tuning techniques.
- Implement actionable step‑by‑step detection use cases for authentication anomalies, privilege escalation, network threats, and cloud abuse.
You Should Know:
- Authentication & Access Control – Detecting Brute‑Force and Impossible Travel
Collecting Windows Event ID 4625 (failed logins) or Linux `auth.log` entries is not enough. You need correlation rules that spot rapid failures followed by success, logins from geographically impossible locations, and dormant account reactivations.
Step‑by‑step guide to build an impossible travel detection in Splunk:
1. Index authentication logs with source IP and geolocation data.
2. Use a subsearch to find logins from the same user within a short time window (e.g., 1 hour) with different cities.
3. Filter out known VPN/proxy IPs to reduce false positives.
Splunk query:
index=windows EventCode=4624 | eval Location=ip_location(src_ip) | streamstats time_window=1h current=t global=f count by user | where count>1 AND distinct_count(Location)>1 | table _time, user, src_ip, Location, dest_host
Linux command to monitor authentication failures in real‑time:
sudo tail -f /var/log/auth.log | grep "Failed password" For CentOS/RHEL: /var/log/secure
Windows PowerShell one‑liner to export failed logins from the last 24 hours:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625; StartTime=(Get-Date).AddHours(-24)} | Select-Object TimeCreated, @{n='User';e={$<em>.Properties[bash].Value}}, @{n='SourceIP';e={$</em>.Properties[bash].Value}}
- Privilege Escalation – Monitoring Admin Changes and Group Membership Modifications
Attackers often add themselves to Domain Admins, sudoers, or local administrator groups. Detect these changes with specific event IDs and file integrity monitoring.
Step‑by‑step to detect Windows admin group modifications:
- Monitor Event ID 4728 (member added to security‑enabled global group) and 4732 (member added to local group).
- Create a watchlist of privileged groups (e.g., Domain Admins, Enterprise Admins).
- Alert when a non‑privileged account triggers these events.
Elastic Security rule (EQL):
sequence by host.name, winlog.event_data.SubjectUserName
[any where event.code == "4728" or event.code == "4732"]
[any where winlog.event_data.TargetUserName : ("Domain Admins", "BUILTIN\Administrators")]
Linux detection for sudoers modifications:
Audit rule to watch /etc/sudoers and /etc/sudoers.d/ sudo auditctl -w /etc/sudoers -p wa -k sudoers_change Search audit logs sudo ausearch -k sudoers_change
- Network Security – Identifying Port Scans and DNS Anomalies
A single port scan may be noisy but not malicious. However, a source performing scans against multiple internal hosts combined with subsequent exploitation attempts warrants escalation.
Step‑by‑step to detect horizontal port scans using Zeek (formerly Bro) logs:
1. Ingest Zeek `conn.log` and `notice.log`.
- Count distinct destination IPs and ports per source IP over a 10‑minute window.
- Set thresholds (e.g., > 100 distinct IPs or > 20 ports) to trigger an alert.
Python detection script (for custom integration):
import pandas as pd
from datetime import datetime, timedelta
Load Zeek conn.log
df = pd.read_csv('conn.log', sep='\t', comment='')
window = datetime.now() - timedelta(minutes=10)
scanners = df[df['ts'] > window.timestamp()].groupby('id.orig_h').agg({'id.resp_h': 'nunique', 'id.resp_p': 'nunique'})
suspects = scanners[(scanners['id.resp_h'] > 100) | (scanners['id.resp_p'] > 20)]
print(suspects)
Windows command to check active connections:
netstat -ano | findstr "ESTABLISHED"
- Malware Detection – Ransomware Indicators and Suspicious Process Chains
Modern malware uses living‑off‑the‑land binaries (LOLBins) and obfuscated scripts. Detection requires tracking parent‑child process relationships and script interpreters launching unusual child processes.
Step‑by‑step to build a process chain detection in Microsoft Sentinel:
1. Ingest Windows Event ID 4688 (process creation) with command‑line logging enabled.
2. Write a KQL query that looks for `powershell.exe` or `cmd.exe` spawning `wmic.exe` with `delete` or `shadowcopy` keywords.
3. Correlate with file rename events (Event ID 4663) on common user document extensions.
Sentinel KQL rule snippet:
let ransomware_indicators = dynamic(["vssadmin delete shadows", "wmic shadowcopy delete", "bcdedit /set {default} recoveryenabled No"]);
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine has_any (ransomware_indicators)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, ProcessCommandLine
Linux detection for suspicious script execution:
Monitor all executed commands via auditd sudo auditctl -a always,exit -F arch=b64 -S execve -k process_monitoring Look for Python or Bash spawning encoded content sudo ausearch -k process_monitoring | grep -E "python -c|echo.base64"
- Insider Threat Monitoring – Large File Transfers and Unauthorized Database Queries
Data exfiltration often involves large outbound transfers or excessive database queries from a single user. Use netflow, proxy logs, and database audit logs.
Step‑by‑step to detect large HTTP uploads from a user:
1. Aggregate proxy logs by user, destination URL, and bytes sent.
2. Calculate the 30‑day baseline of average upload size per user.
3. Alert when a user transfers > 3x their baseline standard deviation.
Example SQL query from a database audit table:
SELECT user, COUNT() as query_count, SUM(row_count) as total_rows FROM db_audit_log WHERE timestamp > NOW() - INTERVAL 1 HOUR GROUP BY user HAVING query_count > 500 OR total_rows > 100000;
Windows command to audit USB device usage:
Get USB storage events (Event ID 2003 for Plug and Play)
Get-WinEvent -LogName "Microsoft-Windows-DriverFrameworks-UserMode/Operational" | Where-Object {$_.Id -eq 2003}
- Cloud Security – API Abuse and Privilege Misuse in AWS/Azure
Cloud threat detection requires monitoring control plane API calls – especiallyAssumeRole,CreateAccessKey, and modifications to security groups.
Step‑by‑step to detect suspicious privilege escalation via AWS STS:
1. Enable CloudTrail and send logs to SIEM.
- Search for `AssumeRole` events where the role has a higher privilege than the caller.
- Correlate with subsequent `ec2:RunInstances` or `s3:GetObject` on sensitive buckets.
Splunk query for AWS:
index=aws cloudtrail eventName=AssumeRole | eval role_arn = responseElements.assumedRoleUser.arn | lookup privileged_roles.csv role_arn OUTPUT is_privileged | where is_privileged="yes" | table userIdentity.arn, sourceIPAddress, role_arn, eventTime
Azure CLI command to monitor sign‑ins from unusual locations (requires Azure AD diagnostics):
az monitor activity-log list --max-events 100 --query "[?operationName.value=='Microsoft.Authorization/roleAssignments/write]"
What Undercode Say:
- Detection engineering is a full‑time, continuous discipline – generic vendor rules are a starting point, not a finish line. Tuning rules to your environment is where risk reduction happens.
- Automation without validation creates alert fatigue – every new rule must be tested against historical data and live traffic to balance true positives and false positives. The best SOC teams revisit and refine rules weekly.
Analysis (10 lines):
The post highlights a fundamental gap in many SIEM deployments: logs without purpose are noise. Okan YILDIZ’s nine‑domain framework provides a practical blueprint for any SOC, but the real insight is that detection rules must mirror an organization’s unique business processes, not a vendor’s generic threat library. The GitHub PDF (100 Custom SIEM Rules for Client Onboarding) is a valuable asset, but the methodology – understanding normal before hunting abnormal – is the true takeaway. Comments from Jason Brown and Nic Wilson reinforce that detection engineering is under‑resourced and often ignored by leadership until after a breach. Without dedicated headcount and automation loops, even well‑written rules decay into irrelevance as infrastructure changes. The shift toward detection as code (e.g., Sigma rules, KQL templates) is essential to keep pace. Ultimately, a SIEM’s maturity is measured not by log volume but by mean time to detect (MTTD) and signal‑to‑noise ratio.
Expected Output:
Introduction:
Effective SIEM detection rules are the lens through which you see attacker activity in your own backyard. By moving from generic alerts to custom logic that understands your assets, users, and risk appetite, you transform a log collector into a proactive threat detection engine.
Prediction:
- +1 AI‑assisted detection rule generation will reduce rule creation time by 60% within 18 months, allowing smaller SOCs to compete with enterprise teams.
- -1 As organizations adopt more cloud‑native and ephemeral workloads, traditional static rules will struggle; those who fail to implement detection as code will drown in false positives.
- +1 MITRE ATT&CK‑mapped rule repositories will become standard compliance requirements in cyber insurance policies, driving adoption of custom detection frameworks.
- -1 Attackers will increasingly target the detection rules themselves – through log manipulation and blind spots – forcing SOCs to implement rule integrity monitoring and canary tokens.
▶️ Related Video (66% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Yildizokan Siem – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
