Designing and Validating MITRE ATT&CK–Aligned SOC Alert Rules for End-to-End TTP Detection
Student Name: Tan Amos
Student Code: s22
Class Code: CCK3_250714
Institute: Centre for Cybersecurity
Trainer: Samson
Project Breach Trace is the second part of a breach simulation series, under the Security Operations Centre (SOC) track. This report documents a complete offensive-to-defensive workflow in a controlled lab, where simulated attacker TTPs are executed and then detected through SOC-style monitoring and alerting.
In a VMware Workstation virtual LAN, attacks were launched from a Kali Linux VM against a Windows Server 2019 Domain Controller and a Linux web server, with pfSense (Snort-enabled) providing network visibility and Elastic Security/Kibana serving as the central SIEM for analysis.
The work focuses on turning observable adversary behaviour into actionable detections by creating and validating alert rules aligned to each scenario, including SSH brute force, SMB brute force, SMB enumeration, SMB-based file exfiltration, hash dumping and Pass-the-Hash to obtain a DC shell, and an ICMP flood DoS. Results matched expectations end-to-end: 6 custom rules created → 6 attacks executed → 6 types of alerts triggered.
All attacks originated from the Kali Linux attacker VM (172.16.50.52) within a VMware Workstation virtual LAN lab. Security telemetry was ingested into the ELK server (172.16.50.2) and investigated using Elastic Security/Kibana, with pfSense/Snort contributing network IDS events for the DoS scenario.
-
pfSense (Netgate) firewall/router + Snort IDS: 172.16.50.1
-
ELK Linux server (Elastic Stack / Kibana): 172.16.50.2
-
Domain Controller (Windows Server 2019): 172.16.50.254
-
Linux Web Server: 172.16.100.20
-
Kali Linux (attacker): 172.16.50.52
-
Primary security events index pattern:
logs-*(used for attacks #1–#5) -
Firewall/IDS (pfSense/Snort) index pattern:
logs-pfelk-*(used for DoS attack #6) -
Note: The active Elastic Security data view determines which indices appear on Elastic Security pages and which indices detection rules can query.
This section summarizes the minimum logging and ingestion prerequisites I enabled so that Elastic Security received the right level of detail (event codes, fields, and context) to support the alert rules built for each attack scenario.
To ensure authentication, SMB, and object-access activity produced consistent Security Event Logs for detection, I enabled Advanced Audit Policy subcategories on the Domain Controller via Group Policy.
Steps:
-
Open Group Policy Management on the DC.
-
Create or edit a GPO linked to the domain/OU containing the DC.
-
Navigate to:
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System Audit Policies -
Enable the required audit subcategories (Success/Failure as appropriate).
-
Run
gpupdate /forceand confirm events appear in Event Viewer → Windows Logs → Security.
Audit subcategories enabled:
-
Logon/Logoff
-
Audit Logon (Success/Failure)
-
Audit Account Lockout (Failure)
-
Audit Special Logon (Success)
-
-
Account Logon
- Audit Credential Validation (Success/Failure)
-
Object Access (for SMB/share activity)
-
Audit File Share (Success/Failure)
-
Audit Detailed File Share (Success/Failure)
-
-
Detailed Tracking
- Audit Process Creation (Success)
Rationale:
-
Brute force and Pass-the-Hash patterns rely on authentication events.
-
SMB enumeration/exfiltration relies on share/file-share access auditing.
-
Process creation improves investigation context (what executed, when, and by whom).
Sysmon was installed to add higher-fidelity endpoint telemetry (process, network, and related activity) beyond default Windows logs.
Steps:
-
Download Sysmon from Microsoft Sysinternals on the Domain Controller and extract it (example folder:
C:\Tools\Sysmon). -
Place your Sysmon configuration XML in the same folder (example:
C:\Tools\Sysmon\sysmonconfig.xml). -
Open PowerShell as Administrator.
-
Change directory into the Sysmon folder:
cd C:\Tools\Sysmon
-
Install Sysmon and load the configuration (accept the EULA):
Sysmon64.exe -accepteula -i C:\Tools\Sysmon\sysmonconfig.xml
-
Confirm Sysmon is installed and running:
-
Open Services (
services.msc) → verify Sysmon64 is Running -
OR run:
sc query Sysmon64
-
-
If you need to update the configuration later, apply it without reinstalling:
Sysmon64.exe -c C:\Tools\Sysmon\sysmonconfig.xml
-
Confirm events are being written:
-
Open Event Viewer and navigate to the Sysmon Operational log (
Applications and Services Logs → Microsoft → Windows → Sysmon → Operational). -
Verify that recent Sysmon events are appearing (you should see new entries shortly after normal activity).
-
Windows events from the DC were forwarded to the ELK server (172.16.50.2) so that Elastic Security could query them in logs-* for attacks #1 - #5.
What was shipped:
-
Windows Security Event Log (authentication + SMB/share auditing)
-
Sysmon Operational log (enhanced endpoint telemetry)
Ingestion method (Winlogbeat):
-
Install Winlogbeat on the DC (common path:
C:\Program Files\Winlogbeat\). -
Open
winlogbeat.ymlas Administrator and configure these Windows event channels:-
Security -
Microsoft-Windows-Sysmon/Operational
-
-
Configure the output so logs are sent to your ELK pipeline on 172.16.50.2 (direct to Elasticsearch or via Logstash — whichever your lab uses).
-
Enable Sysmon parsing/normalization so Sysmon events map into useful structured fields in Elastic (module/pipeline depending on your setup).
-
Run validation tests from an elevated PowerShell:
-
winlogbeat test config -
winlogbeat test output
-
-
Install Winlogbeat as a service (if not already installed) and start it:
-
Typical flow:
winlogbeat.exe install-service -
Then:
Start-Service winlogbeat
-
-
Confirm Winlogbeat is running and sending events:
-
Check Services for winlogbeat = Running
-
In Kibana Discover, filter for
host.ip: 172.16.50.254and confirm Security + Sysmon events are arriving underlogs-*.
-
To support SSH brute force detection and investigation, Linux authentication logs were collected and shipped to ELK.
Steps:
-
Confirm SSH authentication is logging locally on the Linux web server:
-
Debian/Ubuntu:
/var/log/auth.log -
RHEL/CentOS:
/var/log/secure
-
-
Install your log shipper (Elastic Agent or Filebeat) on the Linux web server.
-
Enable collection for authentication/system logs:
- If using Filebeat: enable the system module (auth).
-
Ensure the shipper is reading the correct auth log path for your distro (auth.log vs secure).
-
Configure output to forward events to ELK (172.16.50.2) using your lab’s pipeline (Elasticsearch/Logstash).
-
Start the shipper and confirm it stays running:
- Check service status and logs to ensure there are no connection/parsing errors.
-
Generate a clear test event:
- Perform 1–2 failed SSH logins so you can easily validate ingestion and field parsing.
The ICMP flood DoS scenario was detected using Snort on pfSense (172.16.50.1). These IDS alerts were forwarded into ELK and stored under logs-pfelk-*, which was used only for the DoS detection rule.
Steps:
-
Install Snort on pfSense:
-
pfSense UI → System → Package Manager → Available Packages
-
Search Snort → Install
-
-
Enable Snort on the correct interface:
-
Services → Snort → Interfaces
-
Add/select the interface that carries your lab traffic (LAN/internal)
-
Enable Snort on that interface
-
-
Configure baseline Snort settings so alerts are generated and logged:
-
Ensure alert logging is enabled for the interface
-
Set protected networks appropriately (HOME_NET should cover your lab subnets, e.g.,
172.16.50.0/24and172.16.100.0/24)
-
-
Enable ICMP flood-related rules/signatures:
- In Snort rule management/categories, enable the rules that generate ICMP flood alerts
-
Verify Snort is generating alerts:
-
Trigger a short ICMP burst first (safe test)
-
Confirm an alert appears in the Snort alerts view
-
-
Forward pfSense/Snort logs to ELK (pfELK pipeline):
-
pfSense → Status → System Logs → Settings
-
Configure Remote Logging Options to send logs to 172.16.50.2
-
Ensure Snort alert logs are included in what gets forwarded (based on your pfSense/Snort logging settings)
-
-
Confirm logs land in Kibana under
logs-pfelk-*:-
Kibana Discover → select data view including
logs-pfelk-* -
Filter for pfSense/Snort events and confirm ICMP alerts appear with timestamps matching your tests
-
I created one detection rule per attack scenario, resulting in 6 custom rules: 5 Threshold rules (SSH brute force, SMB brute force, SMB enumeration, SMB exfiltration, ICMP flood/DoS via Snort events) and 1 Event Correlation rule using EQL (Pass-the-Hash leading to a successful shell on the Domain Controller).
Threshold rules were used where attacker behaviour produces a burst or high count of similar events in a short window (for example, repeated authentication failures or repeated IDS alerts), making them well-suited for brute force and flood-style patterns.
The Pass-the-Hash scenario was implemented as an EQL Event Correlation rule because it is best validated as a sequence of related events occurring within a defined timeframe, rather than a single-count threshold.
To track security activity and confirm the rules were functioning as intended, I used Elastic Security’s built-in dashboards:
-
Overview dashboard — provides a high-level snapshot of current alerts and events during the testing window.
-
Detection rule monitoring dashboard — provides visibility into detection rule execution, including whether rules are running successfully and their overall health/performance.
All alert rules in this project were created from the Elastic Security interface using the following navigation path:
- Left menu → Security → Rules → Detection rules (SIEM) → Create new rule
From the “Create new rule” workflow, I selected the appropriate rule type (Threshold for burst/count-based attacks and Event Correlation (EQL) for the Pass-the-Hash sequence), set the data source (for example, logs-* or logs-pfelk-*), and configured the query, threshold/correlation logic, schedule, and alert metadata before enabling the rule.
This section validates each attack scenario by showing (1) the attacker activity, (2) the detection rule created for that activity, and (3) the alert generated in Elastic Security.
Note: All attacks were executed by running the Project Breach Point (Part 1) script with added functionality implemented for Breach Trace; this report focuses on detection outcomes, so refer to the accompanying .sh file for the full commands and execution details.
For consistency, each subsection follows the same evidence flow: Terminal output → Rule configuration + logic → Alert triggered (Alerts page).
MITRE ATT&CK: Brute Force: Password Guessing (T1110.001)
From Kali (172.16.50.52), I used Hydra to execute an SSH brute force attempt against the Linux web server (172.16.100.20) to generate repeated authentication failures within a short time window.
Rule built (Threshold; index: logs-*****):
KQL: host.os.type: linux AND event.category: authentication AND event.action: ssh_login AND event.outcome: failure
Group by: source.ip, host.name
Detection logic:
Alert when a single source IP generates ≥ 10 failed SSH logins against the same host within a ~2-minute rolling window (example: runs every 1 min, additional look-back 1 min).
Rationale:
-
Linux + authentication + ssh_login narrows the rule to SSH login attempts only (not other log types), using ECS categorization and the more specific
event.actionfield. -
event.outcome: failureisolates the brute-force signal (repeated failures). -
Group by
source.ip+host.namekeeps the alert actionable (who attacked what) and matches how Elastic models SSH brute force (same source → same target). -
Schedule + look-back: Elastic recommends ≥ 1 minute additional look-back to avoid missed alerts if executions drift.
Tuning: Elastic’s prebuilt SSH brute-force rules use high burst thresholds (e.g., 25 failures in 15s or 60 failures in 30s) for noisy environments; in an internal lab, 10 failures in ~2 minutes is a practical baseline that still catches Hydra while reducing “one-off typo” noise.
Validation:
The alert fired during the attack window; source.ip = 172.16.50.52 and destination.ip/host = 172.16.100.20.
MITRE ATT&CK: Brute Force: Password Guessing (T1110.001)
From Kali (172.16.50.52), I used Hydra to perform repeated SMB/NTLM login attempts against the Domain Controller (172.16.50.254) to generate a burst of failed network authentication events.
Rule built (Threshold; index: logs-*****):
KQL: host.os.type: windows AND event.code: 4625 AND winlog.event_data.LogonType: 3
Group by: source.ip, user.name, host.name
Detection logic:
Alert when a single source IP generates ≥ 10 failed network logons (LogonType 3) for the same user + host within a ~2-minute rolling window (example: runs every 1 min, additional look-back 1 min). Elastic recommends ≥ 1 minute additional look-back to reduce missed alerts if rule execution drifts.
Rationale:
-
event.code: 4625targets Windows “account failed to log on” events, which are the primary signal for repeated failed logins during brute force activity. -
winlog.event_data.LogonType: 3narrows to Network logons (type 3), which is the expected logon type for SMB-style authentication attempts arriving over the network. -
host.os.type: windowskeeps the detection focused on Windows authentication telemetry (reducing unrelated non-Windows noise). -
Group by
source.ip+user.name+host.namemakes the alert precise and actionable by tying the spike to who is being targeted, where, and from which attacker IP (e.g., Kali → DC).
Tuning: Elastic’s prebuilt Windows “multiple logon failure” content looks for high-volume bursts of failed Network logons and uses a very high threshold (example: ≥ 100 failures per 60 seconds) in its reference rule query—appropriate for noisy environments. For an internal lab/DC where you want earlier detection (and have less background noise), 10 failures in ~2 minutes is a reasonable baseline that still reliably catches Hydra without alerting on one-off mistakes.
Validation:
The alert fired during the attack window; source.ip = 172.16.50.52 and destination host = 172.16.50.254 (DC).
MITRE ATT&CK: Network Share Discovery (T1135)
From Kali (172.16.50.52), I enumerated SMB shares on the Domain Controller (172.16.50.254) using smbclient to identify accessible shares and validate that share-discovery behaviour is visible to Elastic Security.
Rule built (Threshold; index: logs-*****):
KQL: host.os.type: windows AND event.code: 5140 AND winlog.event_data.ShareName: \\*\\IPC$
Group by: source.ip, user.name, host.name
Detection logic:
Alert when a single source IP generates ≥ 3 IPC$ share access events (5140) for the same user + host within a ~5-minute rolling window (example: runs every 1 min, additional look-back 4 min).
Rationale:
-
host.os.type: windowsscopes the rule to Windows share-access telemetry only, reducing irrelevant matches. -
event.code: 5140specifically captures “a network share object was accessed,” which is the core event for tracking SMB share access on the DC. -
ShareName: \\*\\IPC$focuses on the IPC$ administrative share, which exists to support named-pipe communication; share discovery commonly touches IPC$ as part of remote share enumeration workflows. -
Group by
source.ip+user.name+host.namekeeps the alert actionable by linking the burst to who performed the enumeration, from where, and which host was targeted.
Tuning: Microsoft notes Event 5140 is generated once per session when the first access attempt is made to a share. Because enumeration tools may create multiple short-lived connections/sessions, a lower threshold over a longer window (e.g., 3 in 5 minutes) is a practical baseline for spotting repeated IPC$ access without flagging a single normal connection.
Splunk also highlights that Event IDs 5140/5145 can be used to hunt network share discovery and that repeated IPC$ access patterns can be a sign of share enumeration activity.
Validation:
The alert fired during the attack window; source.ip = 172.16.50.52 and destination host = 172.16.50.254 (DC).
MITRE ATT&CK: Exfiltration Over Alternative Protocol (T1048)
From Kali (172.16.50.52), I used smbclient to copy files from the DC’s SMB share (172.16.50.254) to simulate data exfiltration over SMB.
Rule built (Threshold; index: logs-*****):
KQL: host.os.type: windows AND event.code: 5145 AND winlog.event_data.ShareName: \\*\\SMB_share
Group by: host.name, user.name, source.ip
Detection logic:
Alert when a single source IP generates ≥ 30 Event ID 5145 records for SMB_share for the same user + host within a ~5-minute rolling window (example: runs every 1 min, additional look-back 4 min).
Rationale:
-
event.code: 5145is generated by Audit Detailed File Share and records activity at the file/folder access level (i.e., it logs each time a file or folder is accessed through a share), making it suitable for spotting rapid/bulk access typical of copying/exfiltration. -
ShareName: \\*\\SMB_sharescopes the detection to the specific share used in the lab exfiltration scenario, reducing noise from normal access to other shares. -
Group by
source.ip+user.name+host.namekeeps the alert actionable by tying the activity to the originating host (Kali), the account used, and the target system (DC). -
Thresholding is important because Event 5145 can be very noisy: multiple 5145 entries can be generated for a single “user action” (directory listing, file open, read, metadata checks). A count-based rule helps differentiate bulk activity from one-off access.
Tuning: Event 5145 is commonly used by SIEM content to detect high-frequency file copying on network shares. For example, Splunk’s detection logic for “High Frequency Copy Of Files In Network Share” is built on 5145 and evaluates activity in 5-minute buckets with thresholds that only trigger when counts are meaningfully above baseline (including conditions where averages exceed ~20). This supports using a “few dozen in ~5 minutes” range as a starting point, then adjusting based on normal share usage.
Validation:
The alert fired during the attack window; source.ip = 172.16.50.52 and destination host = 172.16.50.254 (DC).
MITRE ATT&CK: OS Credential Dumping: NTDS (T1003.003)
From Kali (172.16.50.52), I used Impacket tooling to dump NTDS-related credential material from the Domain Controller (172.16.50.254) as a prerequisite for the Pass-the-Hash test.
MITRE ATT&CK: Use Alternate Authentication Material: Pass the Hash (T1550.002)
Using the dumped hash material, I authenticated to the Domain Controller (172.16.50.254) without a cleartext password and obtained an interactive shell from Kali (172.16.50.52).
Rule built (Event Correlation / EQL; index: logs-*****):
EQL query:
sample by host.name [ any where event.code: "4776" and winlog.event_data.Status: "0x0" ] [ any where event.code: "4624" and winlog.event_data.LogonType: "3" and winlog.event_data.AuthenticationPackageName: "NTLM" and event.outcome : "success" ] [ any where event.code: "4688" and process.parent.name: "WmiPrvSE.exe" and process.name: "cmd.exe" ] [ any where event.code: "5145" and winlog.event_data.ShareName : "\\\\*\\ADMIN$" and winlog.event_data.RelativeTargetName : "__*" ]
Detection logic:
Alert when the DC shows a correlated set of events consistent with Pass-the-Hash used for remote execution: successful NTLM credential validation → successful NTLM network logon → WMI-spawned cmd.exe → access to an ADMIN$ file beginning with __ (typical of Impacket WMIExec-style command output redirection).
Rationale (succinct):
-
4776 with Status
0x0indicates successful NTLM credential validation on the DC, making it a strong “authentication succeeded” anchor for correlation. -
4624 LogonType 3 + NTLM + success confirms a successful network logon using NTLM, which aligns with how PtH is commonly executed over the network (and matches ATT&CK detection guidance focusing on anomalous NTLM LogonType 3 activity).
-
4688 where
WmiPrvSE.exespawnscmd.exeis a high-signal indicator of WMI-based remote execution, a common pattern for Impacket’s WMIExec-like behavior. -
5145 to
\\*\\ADMIN$withRelativeTargetName: "__*"captures the SMB artifact where command output is redirected to a temp file onADMIN$starting with__, which multiple defenders document as a hallmark of Impacket WMIExec activity. -
Why EQL
sample by host.name****: EQL’ssamplecorrelates events by a join key (here, the target host) even when timing/order isn’t perfectly consistent across log sources—useful for multi-log-source PtH traces.
Validation:
The correlation alert fired during the attack window on the DC (172.16.50.254), matching the PtH shell activity initiated from Kali (172.16.50.52).
MITRE ATT&CK: Network Denial of Service: Direct Network Flood (T1498.001)
From Kali (172.16.50.52), I executed an ICMP flood against the Linux web server (172.16.100.20). This scenario was detected using pfSense/Snort telemetry forwarded into Elastic under logs-pfelk-*.
Rule built (Threshold; index: logs-pfelk-*****):
KQL:
network.transport: ICMP AND (destination.ip: 10.0.0.0 to 10.255.255.255 OR destination.ip: 172.16.0.0 to 172.31.255.255 OR destination.ip: 192.168.0.0 to 192.168.255.255)
(These destination ranges represent RFC1918 private networks.)
Group by: source.ip, destination.ip
Detection logic:
Alert when ICMP events from the same source.ip to the same destination.ip exceed ≥ 5 events within 1 minute (example: runs every 1 min, additional look-back 1 min). Elastic recommends ≥ 1 minute additional look-back to reduce missed alerts if rule execution drifts.
Rationale:
-
network.transport: ICMPfilters specifically for ICMP traffic, which is commonly used in direct network flooding (ping floods). -
Destination limited to RFC1918 ranges keeps the detection focused on internal/private lab targets and avoids unrelated public IP traffic.
-
Grouping by
source.ipanddestination.ipmakes the alert actionable (who is flooding which target) and prevents unrelated ICMP traffic from being aggregated together.
Tuning: Because these are pfSense/Snort-derived events (not raw packet captures), a lower threshold (e.g., 5 alerts/events in 1 minute) is usually enough to confirm sustained flooding while avoiding false positives from occasional ping/diagnostic activity. If your dataset logs every ICMP packet (rather than IDS alerts), increase the threshold substantially and tune based on your baseline.
Validation:
The alert fired during the attack window; source.ip = 172.16.50.52 and destination.ip/host = 172.16.100.20.
Overall, the detections worked as expected because each rule type matched the underlying “shape” of the attacker behaviour.
Threshold rules were effective for brute force, SMB activity, and ICMP flooding because these actions generate a high-volume burst of similar events (e.g., repeated authentication failures, repeated share access records, or repeated IDS/network events) within a short period.
In contrast, Pass-the-Hash is better represented as a multi-step chain (successful NTLM validation → network logon → follow-on execution and access), so the EQL event correlation rule provided stronger fidelity by correlating related events into a single detection instead of relying on counts alone.
Grouping fields such as source.ip, user.name, and host.name kept alerts specific and actionable by clearly identifying who attacked what.
For a real organization, the main tuning goal would be reducing false positives while keeping early detection. I would baseline “normal” authentication and share-access behaviour per subnet and host role, then apply different thresholds for internet-facing systems vs internal servers, and for privileged accounts vs standard users.
I would also add rule exceptions/allowlists for known admin jump hosts, vulnerability scanners, or scheduled management tools that legitimately generate SMB or authentication noise.
Finally, I would standardize schedules to balance timeliness with reliability and keep a consistent additional look-back to reduce missed detections during rule execution drift, while using severity/risk scoring to prioritize high-confidence alerts (for example, correlation-based PtH detections).
What I would add next:
-
Add richer telemetry (e.g., expanded Sysmon coverage and/or network flow/packet visibility) to improve context and reduce ambiguity.
-
Create “high-confidence” and “low-confidence” versions of some rules (e.g., brute force) with different severities and thresholds.
-
Extend correlation for lateral movement (e.g., combine NTLM logon + remote execution + SMB admin share artifacts into a single investigation view).
-
Improve dashboards with drilldowns by attacker IP, targeted hosts, and top usernames, and add a quick “attack timeline” panel per scenario.
-
Define response playbooks (triage steps, verification queries, containment actions) linked to each alert for faster analyst workflow.
This project validated SOC-style detections across six simulated attacks in a controlled lab environment, with every scenario producing the expected alert in Elastic Security.
Threshold rules proved most effective for bursty, high-volume patterns such as SSH/SMB brute force, SMB share activity, and ICMP flood behaviour, where repeated events over a short window are the core signal. For lateral movement using Pass-the-Hash, an EQL event correlation rule provided the highest value by linking multiple related Windows events into a single high-fidelity detection.
Overall, the results demonstrate reliable end-to-end visibility—from attacker execution to SIEM alerting—using both host-based and network/IDS telemetry.
MITRE ATT&CK. (n.d.). Brute Force: Password Guessing (T1110.001). https://attack.mitre.org/techniques/T1110/001/
MITRE ATT&CK. (n.d.). Network Share Discovery (T1135). https://attack.mitre.org/techniques/T1135/
MITRE ATT&CK. (n.d.). Exfiltration Over Alternative Protocol (T1048). https://attack.mitre.org/techniques/T1048/
MITRE ATT&CK. (n.d.). OS Credential Dumping: NTDS (T1003.003). https://attack.mitre.org/techniques/T1003/003/
MITRE ATT&CK. (n.d.). Use Alternate Authentication Material: Pass the Hash (T1550.002). https://attack.mitre.org/techniques/T1550/002/
MITRE ATT&CK. (n.d.). Network Denial of Service: Direct Network Flood (T1498.001). https://attack.mitre.org/techniques/T1498/001/
Elastic. (n.d.). Create a detection rule (Threshold rules, Event Correlation/EQL rules). https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule
Elastic. (n.d.). About detection rules (rule types overview). https://www.elastic.co/docs/solutions/security/detect-and-alert/about-detection-rules
Elastic. (n.d.). Manage detection alerts (Alerts page workflow). https://www.elastic.co/docs/solutions/security/detect-and-alert/manage-detection-alerts
Elastic. (n.d.). Overview dashboard (alerts/events snapshot). https://www.elastic.co/docs/solutions/security/dashboards/overview-dashboard
Elastic. (n.d.). Detection rule monitoring dashboard (rule execution health/performance). https://www.elastic.co/docs/solutions/security/dashboards/detection-rule-monitoring-dashboard
Elastic. (n.d.). Data views and Elastic Security (active data view controls what appears in Security pages). https://www.elastic.co/docs/solutions/security/get-started/data-views-elastic-security
Elastic. (n.d.). Data views (Kibana data view fundamentals). https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views
Microsoft. (2025). Advanced Audit Policy Configuration settings (Windows Server). https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/advanced-audit-policy-configuration
Microsoft Sysinternals. (2024). Sysmon (System Monitor). https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

























