[go: up one dir, main page]
Scribd
Upload
21 views2 pages

CSA Tools and Labs

The document outlines various cyber threats, including SQL injection, XSS, network scanning, and brute force attacks, along with methods for detecting and analyzing indicators of compromise (IoCs) using tools like Wireshark and Splunk. It also discusses incident detection and response strategies, including log analysis and ticket generation for incidents. Additionally, it emphasizes the integration of threat intelligence into detection frameworks like ELK and OSSIM.

Uploaded by

tangoclaim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
21 views2 pages

CSA Tools and Labs

The document outlines various cyber threats, including SQL injection, XSS, network scanning, and brute force attacks, along with methods for detecting and analyzing indicators of compromise (IoCs) using tools like Wireshark and Splunk. It also discusses incident detection and response strategies, including log analysis and ticket generation for incidents. Additionally, it emphasizes the integration of threat intelligence into detection frameworks like ELK and OSSIM.

Uploaded by

tangoclaim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

#Cyber Threats, IoCs, and Attack Methodology -

1. Application Level Threats: Understanding the Working of SQL Injection Attacks


2. Application Level Threats: Understanding the Working of XSS Attacks
3. Network Level Threats: Understanding the Working of Network Scanning Attacks
4. Host Level Threats: Understanding the Working of Brute Force Attacks
5. Detecting and Analyzing IoCs using Wireshark

#Incidents, Events, and Logging -

1. Local Logging: Configuring, Monitoring, and Analyzing Windows Logs


2. Local Logging: Configuring, Monitoring, and Analyzing IIS Logs
3. Local Logging: Configuring, Monitoring, and Analyzing Snort IDS Logs
4. Centralized Logging: Collecting Logs from Different Devices into Centralized
Location Using Splunk

#Incident Detection with SIEM -

1. Host Level Incident Detection: Creating Splunk Use Case for Detecting and
Generating Alert on Brute-Force Attempts
2. Application Level Incident Detection: Creating Splunk Use Case for Detecting and
Generating Alert on SQL Injection Attempts
3. Application Level Incident Detection: Creating Splunk Use Case for Detecting and
Generating Alert on XSS Attempts
4. Network Level Incident Detection: Creating Splunk Use Case for Detecting and
Generating Alert on Network Scanning Attempts
5. Network Level Incident Detection: Creating Splunk Use Case for Monitoring
Insecure Ports and Services
6. Host Level Incident Detection: Creating ELK Use Case for Monitoring Trusted
Binaries Connecting to the Internet
7. Host Level Incident Detection: Creating ELK Use Case for Monitoring Credential
dumping using Mimikatz
8. Host Level Incident Detection: Creating ELK Use Case for Monitoring Malware
activity in the system.

#Enhanced Incident Detection with Threat Intelligence -

Integrating IoCs into ELK Stack


Integrating OTX Threat Data in OSSIM

#Incident Response -

1. Generating Ticket - AlianVault OSSIM


2. Containing Data Loss Incidents - Splunk - Blocking FTP connection
3. Eradicating SQL Injection and XSS Incidents
4. Recovering from Data Loss Incidents
5. Creating Incident Reports using OSSIM
===================================================================================
=================
SQL Injection Attempts -

host=Server2019 sourcetype=iis | eval cs_uri_query = urldecode(cs_uri_query) |


regex cs_uri_query ="/(\%27)|(\')|(--)|(\%23)|(#)/ix" | iplocation c_ip | table
_time cs_uri_query cs_User_Agent c_ip

XSS -

host=Server2019 sourcetype=iis "%3CSCRIPT" OR “Javascript” OR "Alert" OR "3C


%2Fscript"
Network Scan -

host=Server2019 source=ids 10.10.10.19 “TCP Scan Attempted”

host=Server2019 source=ids 10.10.10.19 “Xmas Scan Attempted”

host=Server2019 source=ids 10.10.10.19 “FIN Scan Attempted”

You might also like