Daylight Saving Time 184
Network Time Protocol (NTP) 184
NTP Device Configuration 185

Metrics for the SOC 29
SOC Training, Skills, Staffing, and Roles 33
SOC Onboarding and Initial Training 33
SOC Analyst Skills 34
SOC Analyst Traits 36
SOC Roles 37
SOC Layered Operating Models 38
Two Tier Model 39
Three Tier Model 40
SOC Maturity Curve 41
Measuring Data Source Integration Maturity Levels 43
Measuring Alarm Processing Management Maturity Levels 44
Example SOC Shift Check List 45

SIEM Field Notes 162

Network Hardware 77
Printing 78
Operating System Security, Change, and Stability 79
Data Leakage (USB Insertion) 81
Brute Force Authentication Attempts 82
DHCP and Layer Two Analysis 83
Next Generation Layer 7 Firewalls 85
DarkNet Network Monitoring 85
Overlay Networks and TOR 86
Unused Network Ranges 86
Network Intrusion Detection / Prevention 87
Pass the Hash (Windows) 89
Perimeter Security Focused Access 90
Top One Million Site Checks 94
Top Ten IP Address Use Cases 96
Web Application Firewalls (WAF) 97
Web Proxies 97
Webserver and Application Server Activity 99
Windows Process (Sysmon and Event 4688) 102
Windows Process Execution Patterns and IoC’s 104
Windows Server Presence Indicators 106
Windows Workstation Presence Indicators and Event Forwarding 106
X-Forwarded For, NAT, and the True Source IP Topics 108

Timekeeping and Event Times 182

Complete SOC and SIEM Use Case Example 116

Log Management 189

Type your paragraph here.

SOC and SIEM Use Case Template 110

Alarm Investigation Process 132

Use Case Component Name(s) 119
Use Case Data Source Description 119
Use Case Data Stream Analysis 119
Kill Chain Analysis and Support 120
Assumptions and Limitations 120
Alternative Solutions 120

Analysis by Data Source 133
Performing Well Rounded Alarm Analysis 136
Skill Development Moment: Graph Theory vs. List Thinking 140
Alarm Statistics 142

Type your paragraph here.

Applying Threat Hunting Practices to the SOC 144

NSM Platform Advice from the Field 200

Monitoring Elevated Access Group Membership 116
Name: Monitoring Elevated Group Membership 116
Problem Statement 116
Requirement Statement(s) 117
Design Specifications and Discrete Objectives 118
Security Operations Center Notification 118

Example Threat Hunt Daily Check List 147
Hunting Historical Data Based on Current Intel 148
Excessive, or Multiple, Source IPs for User Logins 149
Web (HTTP) Transactions in Volume per Day 150
Command and Control Detection 150
Lateral Movement or Lateral Traversal 153
Windows System Traces 155
Network Traces 156
Using the Lockheed Martin Cyber Kill Chain 156
Indicators of Compromise and Attack Data Dependencies 159

Manual Log Analysis for IR and the SOC 186

Log Record Data Elements 189
Logging System Components 191
Log Times 193
Detecting NTP Issues Use Case 194
Log Retention, Audit, and Compliance Considerations 195
Logging and SOC Program Maturity from NIST 197

SIEM/SOC Use Case Development Process 110
Template Instructions 111
Use Case Template 111

Copyright © Blue Team Handbook. All rights reserved.

Alarm Triage Overview 125
Dashboard or Summary Data Review 127
Security State Data Review 127
Validating Security Event Data Sources 128
SOC Support System(s) Component Health Review 128
Identify and Report IT Operational Issues 130
Active Threat Hunting 131
Review Security Intelligence Data 131

SOC Defined 7
SOC Charter 8
Business Value Chain Tie In 8
Identify SOC Services 9
SOC Project Planning Outline and Field Notes 12
Useful MBA Concepts: SWOT and PESTL 17
SWOT Analysis 17
PESTL Analysis 18
Funding SecOps 18
Security Operations Centers Cost Components 22
In House vs. Outsourced vs. Virtual SOC 26
Getting into the Hunt 27
SOC Directly Supports the CSIRT Function 28

Preface, Forward, and Introduction

Partial SOC Use Cases 121

General Principles to Run a Successful SIEM 162
Implement Synthetic Transactions 164
Severity, Priority, Urgency, and Reliability Criteria 165
Event Generators Influence Severity 167
Asset Have Multiple Values: Understand Why 167
Vulnerability Data 167
IP Address History 168
IoC Contributions and Threat Intelligence Feeds 168
NIDS Deployment and Data Collection 168
SIEM Deployment Checklist 169
Understand Why SIEM Deployments Fail so It Won’t Happen to You 170
SIEM Event Categorization and Taxonomy 175
Networks, Assets, and SIEM Automation 175
SIEM Data Collection Methods 176

The Scenario 46
The Setup 46
The Attackers Plan to Find Data and Exfiltrate 47
The Defense Plan 47
Defining the SOC Use Case 50
Example: Web Presence Attack 51
Example: End User Payload Focused Attack 52
Organizational Considerations for Use Case Development 53
“Top Ten” Security Operations Use Cases 53
AntiSpam and Email Messaging 55
Email and Web: Interactions with Look a Like Domains 56
Antivirus Systems 57
Application Whitelisting 60
Command and Control 61
Data Loss Prevention (DLP) 61
Domain Name Services 62
End Point Detection and Response 65
Windows Account Life Cycle Events 67
Windows Group Life Cycle Events 70
Group Based Application and Filesystem Monitoring Rules and Alerts 71
Special Group Changes 71
Account Usage Events 72
Microsoft Routing and Remote Access 75
Account Logon: Jump Boxes 75

Security Monitoring Use Cases by Data Source 46

A Day in the Life of a SOC Analyst 124

Security Onion: Effective Network Security Monitoring 199

Partial Use Case: Windows Network User Presence 121
Partial Use Case: System Not Logging/Reporting 121
Partial Use Case: External (VPN) and Internal (Desktop/Server) Access 122
Partial Use Case: IDS Stacked Events 122
Partial Use Case: Policy Violation Issues 122

Continuous Monitoring 202
Security Architecture Considerations 205
Useful Reports, References, and Standards 211
Common TCP and UDP Ports 215
Bibliography and References 218
Index 220

Security Operation Center Field Notes 7