Security Monitoring Setup
SIEM configurations, log correlation rules, threat detection queries, and security dashboard templates.
📄 Product Preview
Try the interactive reader and demo tools below, or get the full product with all content unlocked.
📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample📁 File Structure 29 files
📖 Documentation Preview README excerpt
Security Monitoring Setup
A complete, code-forward blueprint for a Linux/cloud detection and response
pipeline — from shipping raw logs all the way to ranked, correlated incidents.
This is not a vendor brochure: it is the actual config, detection rules, and a
dependency-free correlation engine you deploy and adapt.
The stack: Filebeat → Logstash (ECS normalization) → Elasticsearch, with
Sigma detections, Falco runtime rules, auditd syscall auditing,
Prometheus + ElastAlert alerting, a Grafana dashboard, threat-hunting
queries, a MITRE ATT&CK coverage map, and an incident-triage runbook — tied
together by scripts/log_triage.py, a stdlib-only correlation tool that turns a
stream of findings into scored incidents.
Every file is annotated with the why. All addresses use RFC1918 internal ranges
and RFC5737 documentation ranges; no real hosts, keys, or credentials appear
anywhere.
Who this is for
Security engineers, SREs, and platform teams standing up (or sharpening) a
detection capability without buying a six-figure SIEM. You should be comfortable
on Linux and with JSON/YAML; the detections assume basic familiarity with the
MITRE ATT&CK vocabulary, which mitre/attack-mapping.md reinforces.
What you get
- A real ingestion pipeline: annotated
filebeat.ymland a Logstash pipeline
that parses auth/sudo logs and normalizes everything to **Elastic Common
Schema** so detections are written once against stable field names.
- High-signal detections: five Sigma rules (SSH brute force→success, web
shell, curl|bash, sudoers tampering, AWS root login) and six Falco
runtime rules, each tagged to MITRE ATT&CK.
- Syscall auditing: a curated
auditd/audit.ruleswatching the files,
binaries, and syscalls that matter — without drowning you in noise.
- Correlation that thinks in attack chains: a documented correlation model
and scripts/log_triage.py, a stdlib-only engine that detects four named
attack chains, scores them, and dedups — its output is the spec.
- Alerting + visualization: Prometheus rules for pipeline health and signal
spikes, an ElastAlert rule for live brute-force alerting, and an importable
Grafana Security Overview dashboard.
- Hunting + response: eight threat-hunting queries (KQL/DSL/SPL), a MITRE
ATT&CK coverage matrix with an honest gap analysis, and a battle-tested
incident-triage runbook.
Prerequisites
| Tool | Why | Notes |
|---|---|---|
| Filebeat ≥ 8 | log shipping | filebeat test config validates the bundled config |
| Logstash ≥ 8 | parsing + ECS normalization | pipeline is portable to Vector/Fluentd |
| Elasticsearch/OpenSearch ≥ 8 | store + search | dashboard + hunts target security-* indices |
| Falco ≥ 0.36 | runtime/syscall detection | falco -L validates the local rules |
| auditd | syscall auditing | auditctl -R audit.rules to load |
| Prometheus + Grafana | alerting + dashboards | promtool check rules validates the alerts |
| Python ≥ 3.10 | log_triage.py | stdlib only, no pip install |
... continues with setup instructions, usage examples, and more.