Cheatsheets opérationnelles
Requêtes SIEM
Commandes rapides, requêtes SIEM et playbooks synthétiques pour le triage quotidien.
Splunk
Échecs d'authentification
index=windows EventCode=4625 earliest=-1h
| stats count by user src host
| where count >= 5
| sort - count
Processus suspects
index=sysmon EventCode=1
| where match(lower(CommandLine),"powershell.*(-enc|encodedcommand)|rundll32|regsvr32")
| table _time host User ParentImage Image CommandLine
Suricata
index=suricata event_type=alert
| stats count values(alert.signature) by src_ip dest_ip
| sort - count
Elastic KQL
event.code : "4625" and user.name : *
process.name : "powershell.exe" and process.command_line : (*-enc* or *EncodedCommand*)
ES|QL
FROM logs-*
| WHERE event.code == "4625"
| STATS failures=COUNT(*) BY user.name, source.ip
| WHERE failures >= 5
| SORT failures DESC
Principe
Ajoute toujours : fenêtre temporelle, source attendue, champs minimum, seuil justifié, faux positifs et étapes de triage.