← Back to all products

Security Monitoring Setup

$49

SIEM configurations, log correlation rules, threat detection queries, and security dashboard templates.

📁 29 files
MarkdownJSONYAMLPythonAWSGrafanaPrometheus

📄 Product Preview

Try the interactive reader and demo tools below, or get the full product with all content unlocked.

📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample

📁 File Structure 29 files

security-monitoring-setup/ ├── LICENSE ├── README.md ├── alerts/ │ ├── elastalert-bruteforce.yml │ └── prometheus-security-rules.yml ├── auditd/ │ └── audit.rules ├── correlation/ │ └── correlation-logic.md ├── dashboards/ │ └── grafana-security-overview.json ├── detection/ │ └── threat-hunting-queries.md ├── examples/ │ ├── sample-auth-log.txt │ ├── sample-falco-alert.json │ └── sample-findings.ndjson ├── falco/ │ └── falco_rules.local.yaml ├── free-sample.zip ├── guide/ │ ├── 01-detection-engineering-overview.md │ ├── 02-log-ingestion-and-normalization.md │ ├── 03-detection-rules-and-correlation.md │ ├── 04-alerting-and-visualization.md │ └── 05-threat-hunting-and-incident-triage.md ├── index.html ├── mitre/ │ └── attack-mapping.md ├── pipeline/ │ ├── filebeat.yml │ └── logstash-pipeline.conf ├── runbooks/ │ └── incident-triage-runbook.md ├── scripts/ │ └── log_triage.py └── sigma/ └── rules/ ├── aws_root_console_login.yml ├── ssh_bruteforce.yml ├── sudoers_modification.yml ├── suspicious_shell_pipe.yml └── webshell_spawned_process.yml

📖 Documentation Preview README excerpt

Security Monitoring Setup

A complete, code-forward blueprint for a Linux/cloud detection and response

pipeline — from shipping raw logs all the way to ranked, correlated incidents.

This is not a vendor brochure: it is the actual config, detection rules, and a

dependency-free correlation engine you deploy and adapt.

The stack: Filebeat → Logstash (ECS normalization) → Elasticsearch, with

Sigma detections, Falco runtime rules, auditd syscall auditing,

Prometheus + ElastAlert alerting, a Grafana dashboard, threat-hunting

queries, a MITRE ATT&CK coverage map, and an incident-triage runbook — tied

together by scripts/log_triage.py, a stdlib-only correlation tool that turns a

stream of findings into scored incidents.

Every file is annotated with the why. All addresses use RFC1918 internal ranges

and RFC5737 documentation ranges; no real hosts, keys, or credentials appear

anywhere.


Who this is for

Security engineers, SREs, and platform teams standing up (or sharpening) a

detection capability without buying a six-figure SIEM. You should be comfortable

on Linux and with JSON/YAML; the detections assume basic familiarity with the

MITRE ATT&CK vocabulary, which mitre/attack-mapping.md reinforces.

What you get

  • A real ingestion pipeline: annotated filebeat.yml and a Logstash pipeline

that parses auth/sudo logs and normalizes everything to **Elastic Common

Schema** so detections are written once against stable field names.

  • High-signal detections: five Sigma rules (SSH brute force→success, web

shell, curl|bash, sudoers tampering, AWS root login) and six Falco

runtime rules, each tagged to MITRE ATT&CK.

  • Syscall auditing: a curated auditd/audit.rules watching the files,

binaries, and syscalls that matter — without drowning you in noise.

  • Correlation that thinks in attack chains: a documented correlation model

and scripts/log_triage.py, a stdlib-only engine that detects four named

attack chains, scores them, and dedups — its output is the spec.

  • Alerting + visualization: Prometheus rules for pipeline health and signal

spikes, an ElastAlert rule for live brute-force alerting, and an importable

Grafana Security Overview dashboard.

  • Hunting + response: eight threat-hunting queries (KQL/DSL/SPL), a MITRE

ATT&CK coverage matrix with an honest gap analysis, and a battle-tested

incident-triage runbook.


Prerequisites

ToolWhyNotes
Filebeat ≥ 8log shippingfilebeat test config validates the bundled config
Logstash ≥ 8parsing + ECS normalizationpipeline is portable to Vector/Fluentd
Elasticsearch/OpenSearch ≥ 8store + searchdashboard + hunts target security-* indices
Falco ≥ 0.36runtime/syscall detectionfalco -L validates the local rules
auditdsyscall auditingauditctl -R audit.rules to load
Prometheus + Grafanaalerting + dashboardspromtool check rules validates the alerts
Python ≥ 3.10log_triage.pystdlib only, no pip install

... continues with setup instructions, usage examples, and more.

📄 Code Sample .py preview

scripts/log_triage.py #!/usr/bin/env python3 """log_triage.py — correlate security findings into ranked incidents. This is the executable specification of ``correlation/correlation-logic.md``. It reads a stream of normalized security findings (one JSON object per line — the shape produced by ``pipeline/logstash-pipeline.conf`` and emitted by Falco / ElastAlert), groups them into incidents by actor/asset within a time window, detects the named attack chains (A–D), scores and deduplicates them, and prints a ranked triage summary. It depends on the Python standard library only — no SIEM, no pip install — so it runs anywhere you can get a log export, including an air-gapped jump host during an incident. Examples: # Rank incidents from an exported NDJSON file: python3 log_triage.py --input alerts.ndjson # Pipe a single alert in (as the ElastAlert rule does) for chain context: cat one-alert.json | python3 log_triage.py --stdin # Treat two hosts as crown jewels (raises their incident scores): python3 log_triage.py -i alerts.ndjson --crown-jewels db-01,vault-01 Input format: One JSON object per line. Fields are looked up by several common dotted paths, so both ECS-normalized auth events and raw Falco/Suricata alerts work without pre-processing. Unparseable lines are skipped (and counted). """ from __future__ import annotations import argparse import hashlib import json import logging import sys from dataclasses import dataclass, field from datetime import datetime, timezone from pathlib import Path from typing import Any, Callable, Iterable, Optional LOG = logging.getLogger("log_triage") TOOL_VERSION = "2026.1" # --- Severity model (correlation-logic.md §4.1) ------------------------------ LEVEL_BASE: dict[str, int] = { "informational": 5, "low": 15, "medium": 35, # ... 631 more lines ...
Buy Now — $49 Back to Products