Threat Detection and Response

Threat Detection & Response

Wazuh offers a crucial feature for system protection: regular automated vulnerability scans. These scans categorize vulnerabilities into four severity levels: Critical, High, Medium, and Low. Users can filter these based on their severity level. This categorization relies on the CVSS scoring system provided by First (https://www.first.org/cvss/). Generally, vulnerabilities with higher scores and ratings are prioritized for resolution. However, it's important to note that not all identified vulnerabilities are accurate; in several cases, they may turn out to be false positives.

Security analysts can select an item from the vulnerability list found within an agent to view detailed information about the vulnerability. This information includes the CVE (Common Vulnerabilities and Exposures) details, the affected version, the date the vulnerability was published, and references related to that CVE. Using this information, analysts need to determine the level of threat posed by the vulnerability and decide whether it requires immediate attention and resolution.

Threat Detection Using MITRE ATT&CK

The MITRE ATT&CK® framework, which stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), is a knowledge base for modeling the behavior of a cyber adversary.

Enhancing detection with MITRE ATT&CK framework - Ruleset (wazuh.com)

Using TTP for further analysis on the log that we have. How to understand attack from TTP point of view?

PreviousDecoders and Rulers NextDFIR-IRIS

Last updated 8 months ago