Skill UI

This guide details how to write advanced correlation searches using Splunk's Search Processing Language (SPL). It covers techniques like threshold-based detection, sequence analysis, and anomaly detection to identify sophisticated security threats (e.g., brute force, data exfiltration, lateral movement) in a Security Operations Center (SOC) environment. Mastery of SPL is essential for closing SIEM detection gaps and ensuring compliance.

This skill guides SOC analysts and detection engineers on how to correlate complex, multi-stage attacks within the IBM QRadar SIEM platform. It covers advanced usage of AQL (Ariel Query Language) for deep event investigation, building custom correlation rules (Building Blocks and Offenses), and cross-source data correlation (e.g., auth failures with network flows). It is essential for reducing false positives and improving threat detection accuracy.

This skill provides comprehensive detection methods for credential dumping techniques, a critical post-exploitation phase in cyber attacks. It targets the extraction of sensitive credentials from LSASS memory, SAM registry hives, and NTDS.dit using advanced security visibility. Detection relies on analyzing Sysmon Event ID 10 (ProcessAccess), Windows Security logs, and complex SIEM correlation rules, making it essential for SOC analysts and threat hunters investigating advanced persistent threats (APTs).

A comprehensive guide and framework for detecting attacker lateral movement within enterprise networks. It details the use of network flow analysis (Zeek), authentication log review (Windows Event Logs, Kerberos), and dedicated SIEM correlation rules (Splunk, Elastic) to identify techniques like Pass-the-Hash and RDP hopping. Ideal for threat hunters and security engineers building detection pipelines.

A comprehensive skill for detecting early-stage ransomware indicators before data encryption occurs. It utilizes advanced network detection tools such as Zeek and Suricata, combined with SIEM correlation rules and threat intelligence feeds. This method monitors the entire pre-encryption kill chain, identifying precursor behaviors like initial access broker activity, Cobalt Strike C2 beaconing, credential harvesting (e.g., Mimikatz signatures), and data staging attempts, enabling timely incident response and containment.

A comprehensive guide and set of detection rules for identifying OS credential dumping techniques (MITRE T1003). It leverages EDR telemetry, Sysmon process access monitoring, and Windows security event correlation to detect attacks targeting LSASS memory, SAM databases, and NTDS.dit files. Essential for proactive threat hunting and incident response.

This guide details how to implement advanced SIEM correlation rules to detect sophisticated Advanced Persistent Threats (APTs). By chaining multiple event types—including Windows authentication events, process execution telemetry, and network connection logs—across hosts, users can surface complex attack sequences that are invisible to single-event detections. It utilizes Splunk SPL and Sigma rule formats for robust security posture enhancement.