Blue Team Field NotesDFIR · SOC · Vulnerability Management
Cheatsheets opérationnelles

Requêtes SIEM

Commandes rapides, requêtes SIEM et playbooks synthétiques pour le triage quotidien.

Splunk

Échecs d'authentification

index=windows EventCode=4625 earliest=-1h
| stats count by user src host
| where count >= 5
| sort - count

Processus suspects

index=sysmon EventCode=1
| where match(lower(CommandLine),"powershell.*(-enc|encodedcommand)|rundll32|regsvr32")
| table _time host User ParentImage Image CommandLine

Suricata

index=suricata event_type=alert
| stats count values(alert.signature) by src_ip dest_ip
| sort - count

Elastic KQL

event.code : "4625" and user.name : *
process.name : "powershell.exe" and process.command_line : (*-enc* or *EncodedCommand*)

ES|QL

FROM logs-*
| WHERE event.code == "4625"
| STATS failures=COUNT(*) BY user.name, source.ip
| WHERE failures >= 5
| SORT failures DESC

Principe

Ajoute toujours : fenêtre temporelle, source attendue, champs minimum, seuil justifié, faux positifs et étapes de triage.