As a part of our role towards the cyber security community, we decided to publish some of our detection use cases to give the organizations worldwide the ability to enhance their detection capability along with verifying these capabilities with emulation tests.
-- Cyber Castle's team
Each threat detection rule will contains the following:
- SIGMA rule describing the detection.
- Windows/Linux detection use cases contains multiple separate YAML sections that uses built-in windows/Linux events and Sysmon-Auditd events. Sysmon/Auditd Events could be mapped to the EDR-equivalent events.
- Atomic Red test for emulation. "if possible".
Quality insurance is the main factor while creating the detection use cases, Cyber Castle's engineers follow a comprehensive and concrete life cycle to produce the detection use cases with low false-positive and false-negative rates.
This life cycle contains an emulation for the attack and monitoring for the false positive rate on our environments along with multiple quality insurance criteria.