implementing-siem-correlation-rules-for-apt

# Implementing SIEM Correlation Rules for APT ## When to Use - When deploying or configuring implementing siem correlation rules for apt capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Familiarity with security operations concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions 1. Install dependencies: `pip install requests pyyaml sigma-cli` 2. Connect to the Splunk REST API and define correlation searches that chain multiple event types across hosts. 3. Build Sigma rules in YAML that express multi-step detection logic for lateral movement patterns: - RDP logon (4624 LogonType=10) followed by service installation (7045) on same target within 15 minutes - Pass-the-Hash: NTLM logon (4624 LogonType=3) followed by process creation (4688) of admin tools - PsExec-style: Named pipe creation (Sysmon 17/18) correlated with remote service creation (7045) 4. Convert Sigma rules to Splunk SPL using `sigma-cli convert`. 5. Deploy correlation searches to Splunk ES via the REST API. 6. Run the agent to generate and install correlation rules, then audit existing rules for coverage gaps. ```bash python scripts/agent.py --splu...