IR AnalystSwitch roles in the top navigation to see different perspectives.

Write SIEM detection rules, Sigma rules, and EDR policies based on attacker TTPs observed during the incident to prevent similar attacks from going undetected.

Actions

  1. 1.Document all attacker TTPs observed with specific indicators: process names, command lines, file paths, registry keys, network destinations.
  2. 2.Write Sigma rules for each TTP that can be shared and converted to multiple SIEM platforms.
  3. 3.Create custom KQL/SPL detection rules for the organization SIEM targeting the specific attack patterns.
  4. 4.Update EDR detection policies: add custom IOC feeds, behavioral detection rules, and response automations.
  5. 5.Test all new rules against historical data to verify they detect the incident activity and assess false positive rates.

Queries

SecurityEvent | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where EventID == 4688 | where Process has_any (ATTACKER_TOOLS) | summarize count() by Process, CommandLine // Validate detection rule against incident data

Notes

  • New detection rules should be tested in alert-only mode for 1-2 weeks before enabling automated response actions.
  • Share Sigma rules with the broader security community if the TTPs are not organization-specific.