ReddRadar
Agent skill
implementing-siem-use-cases-for-detection
Implements SIEM detection use cases by designing correlation rules, threshold alerts, and behavioral analytics mapped to MITRE ATT&CK techniques across Splunk, Elastic, and Sentinel. Use when SOC teams need to expand detection coverage, formalize use case lifecycle management, or build a detection library aligned to organizational threat profile.
Install this agent skill to your Project
npx add-skill https://github.com/mukul975/Anthropic-Cybersecurity-Skills/tree/main/skills/implementing-siem-use-cases-for-detection
SKILL.md
Implementing SIEM Use Cases for Detection
When to Use
Use this skill when:
- SOC teams need to build or expand their SIEM detection library from scratch
- Threat assessments identify ATT&CK technique gaps requiring new detection rules
- Detection engineers need a structured process for use case design, testing, and deployment
- Compliance requirements mandate specific detection capabilities (PCI DSS, HIPAA, SOX)
Do not use for ad-hoc hunting queries — use cases are formalized, tested, and maintained detection rules, not exploratory searches.
Prerequisites
- SIEM platform (Splunk ES, Elastic Security, or Microsoft Sentinel) with production data
- ATT&CK Navigator for coverage gap analysis
- Log sources normalized to CIM/ECS field standards
- Use case documentation framework (wiki, Git repo, or detection engineering platform)
- Testing environment with attack simulation tools (Atomic Red Team, MITRE Caldera)
Workflow
Step 1: Assess Detection Coverage Gaps
Map current detection rules to ATT&CK and identify gaps:
import json
# Load current detection rules mapped to ATT&CK
current_rules = [
{"name": "Brute Force Detection", "techniques": ["T1110.001", "T1110.003"]},
{"name": "Malware Hash Match", "techniques": ["T1204.002"]},
{"name": "Suspicious PowerShell", "techniques": ["T1059.001"]},
]
# Load ATT&CK Enterprise techniques
with open("enterprise-attack.json") as f:
attack = json.load(f)
all_techniques = set()
for obj in attack["objects"]:
if obj["type"] == "attack-pattern":
ext = obj.get("external_references", [])
for ref in ext:
if ref.get("source_name") == "mitre-attack":
all_techniques.add(ref["external_id"])
covered = set()
for rule in current_rules:
covered.update(rule["techniques"])
gaps = all_techniques - covered
print(f"Total techniques: {len(all_techniques)}")
print(f"Covered: {len(covered)} ({len(covered)/len(all_techniques)*100:.1f}%)")
print(f"Gaps: {len(gaps)}")
# Prioritize gaps by threat relevance
priority_techniques = [
"T1003", "T1021", "T1053", "T1547", "T1078",
"T1055", "T1071", "T1105", "T1036", "T1070"
]
priority_gaps = [t for t in priority_techniques if t in gaps]
print(f"Priority gaps: {priority_gaps}")
Step 2: Design Use Case Specification
Document each use case with a standardized template:
use_case_id: UC-2024-015
name: Credential Dumping via LSASS Access
description: Detects tools accessing LSASS process memory for credential extraction
mitre_attack:
tactic: Credential Access (TA0006)
technique: T1003.001 - LSASS Memory
data_sources:
- Process: OS API Execution (Sysmon EventCode 10)
- Process: Process Access (Windows Security 4663)
log_sources:
- index: sysmon, sourcetype: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
- index: wineventlog, sourcetype: WinEventLog:Security
severity: High
confidence: Medium-High
false_positive_sources:
- Antivirus products scanning LSASS
- CrowdStrike Falcon sensor
- Windows Defender ATP
- SCCM client
tuning_notes: >
Maintain exclusion list for known security tools that legitimately access LSASS.
Review exclusions quarterly for newly deployed security products.
sla: Alert within 5 minutes of detection
owner: detection_engineering_team
status: Production
created: 2024-03-15
last_tested: 2024-03-15
Step 3: Implement Detection Logic Across Platforms
Splunk ES Correlation Search:
| tstats summariesonly=true count from datamodel=Endpoint.Processes
where Processes.process_name="lsass.exe"
by Processes.dest, Processes.user, Processes.process_name,
Processes.parent_process_name, Processes.parent_process
| `drop_dm_object_name(Processes)`
| lookup lsass_access_whitelist parent_process AS parent_process OUTPUT is_whitelisted
| where isnull(is_whitelisted) OR is_whitelisted!="true"
| `credential_dumping_lsass_filter`
Or using raw Sysmon data:
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
GrantedAccess IN ("0x1010", "0x1038", "0x1fffff", "0x40")
NOT [| inputlookup lsass_whitelist.csv | fields SourceImage]
| stats count, values(GrantedAccess) AS access_flags by Computer, SourceImage, SourceUser
| where count > 0
Elastic Security EQL Rule:
process where event.type == "access" and
process.name == "lsass.exe" and
not process.executable : (
"?:\\Windows\\System32\\svchost.exe",
"?:\\Windows\\System32\\csrss.exe",
"?:\\Program Files\\CrowdStrike\\*",
"?:\\ProgramData\\Microsoft\\Windows Defender\\*"
)
Microsoft Sentinel KQL Rule:
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName == "lsass.exe"
| where ActionType == "ProcessAccessed"
| where InitiatingProcessFileName !in ("svchost.exe", "csrss.exe", "MsMpEng.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName,
InitiatingProcessCommandLine, AccountName
Step 4: Test with Attack Simulation
Validate detection rules using Atomic Red Team:
# Install Atomic Red Team
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing)
Install-AtomicRedTeam -getAtomics
# Execute T1003.001 - Credential Dumping
Invoke-AtomicTest T1003.001 -TestNumbers 1,2,3
# Execute T1053.005 - Scheduled Task
Invoke-AtomicTest T1053.005 -TestNumbers 1
# Execute T1547.001 - Registry Run Key
Invoke-AtomicTest T1547.001 -TestNumbers 1,2
Verify detection in SIEM:
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
earliest=-1h
| stats count by Computer, SourceImage, GrantedAccess
| where count > 0
Document test results:
TEST RESULTS — UC-2024-015
Atomic Test T1003.001-1 (Mimikatz): DETECTED (alert fired in 47s)
Atomic Test T1003.001-2 (ProcDump): DETECTED (alert fired in 32s)
Atomic Test T1003.001-3 (Task Manager): FALSE NEGATIVE (excluded by whitelist — expected)
False Positive Rate (7-day backtest): 2 events (CrowdStrike scan — added to whitelist)
Step 5: Deploy and Monitor Use Case Health
Track detection rule effectiveness:
-- Use case firing frequency
index=notable
| stats count AS fires, dc(src) AS unique_sources,
dc(dest) AS unique_dests
by rule_name, status_label
| eval true_positive_rate = round(
sum(eval(if(status_label="Resolved - True Positive", 1, 0))) /
count * 100, 1)
| sort - fires
| table rule_name, fires, unique_sources, unique_dests, true_positive_rate
-- Detection latency monitoring
index=notable
| eval detection_latency = _time - orig_time
| stats avg(detection_latency) AS avg_latency_sec,
perc95(detection_latency) AS p95_latency_sec
by rule_name
| eval avg_latency_min = round(avg_latency_sec / 60, 1)
| sort - avg_latency_sec
Step 6: Maintain Use Case Library
Establish lifecycle management for all detection use cases:
USE CASE LIFECYCLE
━━━━━━━━━━━━━━━━━━
1. PROPOSED → New detection need identified (threat intel, gap analysis, incident finding)
2. DEVELOPMENT → Query written, false positive analysis, tuning
3. TESTING → Atomic Red Team validation, 7-day backtest
4. STAGING → Deployed in alert-only mode (no incident creation) for 14 days
5. PRODUCTION → Full production with incident creation and SOAR integration
6. REVIEW → Quarterly review of effectiveness, false positive rate, relevance
7. DEPRECATED → Technique no longer relevant or replaced by better detection
Key Concepts
| Term | Definition |
|---|---|
| Use Case | Formalized detection rule with documented logic, testing, tuning, and lifecycle management |
| Detection Engineering | Practice of designing, testing, and maintaining SIEM detection rules as a software development discipline |
| Correlation Search | SIEM query that combines events from multiple sources to identify attack patterns |
| False Positive Rate | Percentage of alerts that are benign activity — target <20% for production use cases |
| Detection Latency | Time between event occurrence and alert generation — target <5 minutes for critical detections |
| ATT&CK Coverage | Percentage of relevant ATT&CK techniques with at least one production detection rule |
Tools & Systems
- Splunk ES: Enterprise SIEM with correlation searches, risk-based alerting, and Incident Review
- Elastic Security: SIEM with detection rules, EQL sequences, and ML-based anomaly detection
- Microsoft Sentinel: Cloud SIEM with KQL analytics rules, Fusion ML engine, and Lighthouse multi-tenant
- Atomic Red Team: Open-source attack simulation framework for testing detection rules against ATT&CK techniques
- ATT&CK Navigator: MITRE visualization tool for mapping and tracking detection coverage across techniques
Common Scenarios
- Post-Incident Use Case: After a ransomware incident, build detection for the initial access vector discovered during investigation
- Compliance-Driven: PCI DSS requires detection of admin account misuse — build use cases for 4672/4720/4732 events
- Threat-Intel Driven: New APT group targets your sector — build use cases for their documented TTPs
- Red Team Findings: Purple team exercise identifies blind spots — convert findings into production detection rules
- SIEM Migration: Migrating from QRadar to Splunk — convert and validate all existing use cases on new platform
Output Format
USE CASE DEPLOYMENT REPORT
━━━━━━━━━━━━━━━━━━━━━━━━━
Quarter: Q1 2024
Total Use Cases: 147 (Production: 128, Staging: 12, Development: 7)
New Deployments This Quarter:
UC-2024-012 Kerberoasting Detection (T1558.003) — Production
UC-2024-013 DLL Side-Loading (T1574.002) — Production
UC-2024-014 Scheduled Task Persistence (T1053.005) — Production
UC-2024-015 LSASS Memory Access (T1003.001) — Staging
ATT&CK Coverage:
Overall: 67% of relevant techniques (up from 61%)
Initial Access: 78%
Execution: 82%
Persistence: 71%
Credential Access: 65%
Lateral Movement: 58% (priority gap area)
Health Metrics:
Avg True Positive Rate: 74% (target: >70%)
Avg Detection Latency: 2.3 min (target: <5 min)
Use Cases Deprecated: 3 (replaced by improved versions)
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
mukul975/Anthropic-Cybersecurity-Skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
mukul975/Anthropic-Cybersecurity-Skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
mukul975/Anthropic-Cybersecurity-Skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
mukul975/Anthropic-Cybersecurity-Skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
mukul975/Anthropic-Cybersecurity-Skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
mukul975/Anthropic-Cybersecurity-Skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?