mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 05:34:55 +03:00
mukul975
757f1c8eae
- implementing-vulnerability-management-with-greenbone: python-gvm GMP API, scan task creation, XML report parsing - detecting-email-account-compromise: Microsoft Graph inbox rules, impossible travel detection, OAuth grant analysis - performing-threat-intelligence-sharing-with-misp: PyMISP event creation, attribute management, sharing validation - analyzing-cobaltstrike-malleable-c2-profiles: dissect.cobaltstrike C2Profile parsing, Suricata rule generation - hunting-for-registry-run-key-persistence: Sysmon Event 13 analysis, T1547.001 detection, Sigma rule generation
83 lines
2.1 KiB
Markdown
83 lines
2.1 KiB
Markdown
# SIEM Use Case Tuning API Reference
|
|
|
|
## Splunk Notable Event Export
|
|
|
|
### Export Notables via SPL
|
|
```spl
|
|
| inputlookup notable_events
|
|
| search status_label IN ("New", "In Progress", "Resolved")
|
|
| table rule_name, _time, status_label, src, dest, user, urgency
|
|
| rename status_label as disposition, _time as timestamp
|
|
| outputlookup alert_export.csv
|
|
```
|
|
|
|
### Splunk ES Correlation Search Tuning
|
|
```spl
|
|
# Measure FP rate per correlation search over 30 days
|
|
| inputlookup notable_events where earliest=-30d
|
|
| eval is_fp=if(status_label="Resolved" AND disposition="False Positive", 1, 0)
|
|
| stats count as total, sum(is_fp) as fp_count by rule_name
|
|
| eval fp_rate=round(fp_count/total, 4)
|
|
| sort -fp_rate
|
|
```
|
|
|
|
### Update Correlation Search Threshold
|
|
```
|
|
POST /servicesNS/nobody/SplunkEnterpriseSecuritySuite/saved/searches/{search_name}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
search=<updated_spl_with_new_threshold>
|
|
```
|
|
|
|
## Elastic Detection Rule Tuning
|
|
|
|
### List Detection Rules
|
|
```
|
|
GET /_security/detection_engine/rules/_find?per_page=100
|
|
Authorization: ApiKey <base64_api_key>
|
|
```
|
|
|
|
### Add Exception to Rule
|
|
```json
|
|
POST /_security/detection_engine/rules/exceptions
|
|
{
|
|
"rule_id": "rule-uuid",
|
|
"name": "Whitelist scanner IPs",
|
|
"entries": [
|
|
{
|
|
"field": "source.ip",
|
|
"operator": "is_one_of",
|
|
"value": ["10.0.1.50", "10.0.1.51"],
|
|
"type": "match_any"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
### Query Rule Execution Stats (Kibana)
|
|
```kql
|
|
event.kind: "signal" AND kibana.alert.rule.name: "Brute Force Detection"
|
|
| stats count by kibana.alert.workflow_status
|
|
```
|
|
|
|
## Alert Tuning Metrics
|
|
|
|
| Metric | Formula | Target |
|
|
|---|---|---|
|
|
| False Positive Rate | FP / (FP + TP) | < 30% |
|
|
| Precision | TP / (TP + FP) | > 70% |
|
|
| Alert-to-Incident Ratio | Incidents / Total Alerts | > 20% |
|
|
| Mean Time to Triage | avg(triage_end - alert_time) | < 15 min |
|
|
|
|
## CLI Usage
|
|
|
|
```bash
|
|
# Analyze alert CSV export
|
|
python agent.py --alert-csv notable_export.csv --output tuning.json
|
|
|
|
# Adjust FP threshold for whitelist candidates
|
|
python agent.py --alert-csv alerts.csv --fp-threshold 0.9 --top-rules 10
|
|
|
|
# CSV format: rule_name,timestamp,disposition,source,user,severity
|
|
```
|