SIEMulate: Automating Cybersecurity Attack Simulations for SIEM Validation
Guardado en:
| Publicado en: | ProQuest Dissertations and Theses (2025) |
|---|---|
| Autor principal: | |
| Publicado: |
ProQuest Dissertations & Theses
|
| Materias: | |
| Acceso en línea: | Citation/Abstract Full Text - PDF |
| Etiquetas: |
Sin Etiquetas, Sea el primero en etiquetar este registro!
|
| Resumen: | Security Information and Event Management (SIEM) systems are the analytic core of cybersecurity operations, yet their effectiveness depends on the reliability of their detection rules. Many Security Operations Centers (SOCs) do not perform ongoing validation of these rules, which can result in undetected adversarial activity and an inflated perception of coverage. This praxis introduces SIEMulate, an automated framework that validates SIEM detection rules by executing adversary emulation tests, collecting system telemetry, and comparing observed outcomes against expected detections using a Continuous Integration / Continuous Delivery (CI/CD) pipeline. The implementation incorporates Atomic Red Team for simulated adversary tests, Sysmon for generating enhanced telemetry, the Splunk threat research detection library, and Splunk as the SIEM. The validation process runs within an automated pipeline that verifies log generation, maps events to MITRE ATT&CK techniques, and evaluates whether the detection rules matched the simulated adversary activity. Praxis results demonstrate the significant reduction in validation times that are achievable with automation. The validation pipeline averaged 26 seconds to complete across all 410 execution attempts (41.5 seconds for the 180 runs that fully completed all stages of the pipeline). Additionally, it provided greater context on why detections may fail, enabling detection engineers to focus on fixing the problem rather than on identifying the problem. The praxis also evaluated MITRE ATT&CK mapping as a measure of the completeness of an organization’s detection posture and found that while it may be a useful organizational framework, it is not a reliable proxy for effective detection. |
|---|---|
| ISBN: | 9798290927183 |
| Fuente: | ProQuest Dissertations & Theses Global |