topic Re: How best MITRE ATT&amp;CK be used for SIEM usecase built? in Threats https://community.isc2.org/t5/Threats/How-best-MITRE-ATT-amp-CK-be-used-for-SIEM-usecase-built/m-p/45780#M323 <OL><LI>Research what threat actors are targeting your specific industry</LI><LI>APT 29 Cozy Bear, just as an example</LI><LI>Look at the 'Techniques Used' section within APT29&nbsp;<A href="https://attack.mitre.org/groups/G0016/" target="_blank" rel="noopener">APT29</A></LI><LI>Start at the top within the field 'ID' with T1548&nbsp;<A href="https://attack.mitre.org/techniques/T1548/" target="_blank" rel="noopener">Abuse Elevation Control Mechanism</A></LI><LI>Use the 'Detection' section to look at what events need to be monitored and sent to the SIEM</LI><LI>Repeat until all techniques are able to be monitored by the SIEM</LI></OL><P>Some techniques overlap with other APT groups so I wouldn't use it for attribution necessarily.&nbsp; &nbsp;</P> Tue, 01 Jun 2021 13:56:42 GMT tmekelburg1 2021-06-01T13:56:42Z How best MITRE ATT&CK be used for SIEM usecase built? https://community.isc2.org/t5/Threats/How-best-MITRE-ATT-amp-CK-be-used-for-SIEM-usecase-built/m-p/45777#M322 <P>I'm interested to hear the practical usage of MITRE framework on building the SIEM usecase?</P> Tue, 01 Jun 2021 13:06:48 GMT https://community.isc2.org/t5/Threats/How-best-MITRE-ATT-amp-CK-be-used-for-SIEM-usecase-built/m-p/45777#M322 Debs 2021-06-01T13:06:48Z Re: How best MITRE ATT&CK be used for SIEM usecase built? https://community.isc2.org/t5/Threats/How-best-MITRE-ATT-amp-CK-be-used-for-SIEM-usecase-built/m-p/45780#M323 <OL><LI>Research what threat actors are targeting your specific industry</LI><LI>APT 29 Cozy Bear, just as an example</LI><LI>Look at the 'Techniques Used' section within APT29&nbsp;<A href="https://attack.mitre.org/groups/G0016/" target="_blank" rel="noopener">APT29</A></LI><LI>Start at the top within the field 'ID' with T1548&nbsp;<A href="https://attack.mitre.org/techniques/T1548/" target="_blank" rel="noopener">Abuse Elevation Control Mechanism</A></LI><LI>Use the 'Detection' section to look at what events need to be monitored and sent to the SIEM</LI><LI>Repeat until all techniques are able to be monitored by the SIEM</LI></OL><P>Some techniques overlap with other APT groups so I wouldn't use it for attribution necessarily.&nbsp; &nbsp;</P> Tue, 01 Jun 2021 13:56:42 GMT https://community.isc2.org/t5/Threats/How-best-MITRE-ATT-amp-CK-be-used-for-SIEM-usecase-built/m-p/45780#M323 tmekelburg1 2021-06-01T13:56:42Z