security analyst security skill risk: medium
SIEM APT Lateral Movement Correlation Rules
Write multi-event correlation rules that detect APT lateral movement by chaining Windows authentication events, including Sigma YAML rules and Splunk SPL queries.
- Policy sensitive
- Human review
- External action: high
SKILL 4 files · 2 folders
SKILL.md
---
name: implementing-siem-correlation-rules-for-apt
description: "Write multi-event correlation rules that detect APT lateral movement by chaining Windows authentication events,"
---
# Implementing SIEM Correlation Rules for APT
## When to Use
- When deploying or configuring implementing siem correlation rules for apt capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
## Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Instructions
1. Install dependencies: `pip install requests pyyaml sigma-cli`
2. Connect to the Splunk REST API and define correlation searches that chain multiple event types across hosts.
3. Build Sigma rules in YAML that express multi-step detection logic for lateral movement patterns:
- RDP logon (4624 LogonType=10) followed by service installation (7045) on same target within 15 minutes
- Pass-the-Hash: NTLM logon (4624 LogonType=3) followed by process creation (4688) of admin tools
- PsExec-style: Named pipe creation (Sysmon 17/18) correlated with remote service creation (7045)
4. Convert Sigma rules to Splunk SPL using `sigma-cli convert`.
5. Deploy correlation searches to Splunk ES via the REST API.
6. Run the agent to generate and install correlation rules, then audit existing rules for coverage gaps.
```bash
python scripts/agent.py --splunk-url https://localhost:8089 --username admin --password changeme --output correlation_report.json
```
## Examples
### Detect RDP Lateral Movement Chain
```
index=wineventlog (EventCode=4624 Logon_Type=10) OR (EventCode=7045)
| transaction Computer maxspan=15m startswith=(EventCode=4624) endswith=(EventCode=7045)
| where eventcount >= 2
| table _time Computer Account_Name ServiceName
```
### Sigma Rule for PsExec Lateral Movement
```yaml
title: PsExec Lateral Movement Detection
logsource:
product: windows
service: sysmon
detection:
pipe_created:
EventID: 17
PipeName|startswith: '\PSEXESVC'
service_installed:
EventID: 7045
ServiceFileName|contains: 'PSEXESVC'
timeframe: 5m
condition: pipe_created | near service_installed
level: high
```
REQUIRED CONTEXT
- Splunk REST API access
- Windows event logs
OPTIONAL CONTEXT
- test environment
- Python 3.8+
TOOLS REQUIRED
- sigma-cli
EXPECTED OUTPUT
- Format
- markdown
- Constraints
- include Sigma YAML rules
- include Splunk SPL examples
- follow provided step-by-step instructions
EXAMPLES
Includes one SPL transaction query example for RDP lateral movement and one YAML Sigma rule example for PsExec detection.
CAVEATS
- Dependencies
- Splunk REST API access
- Python 3.8+ with dependencies
- test or lab environment
- Missing context
- Target SIEM platform (hard-coded to Splunk)
- Exact schema or expected output of correlation_report.json
- Error handling or validation criteria for generated rules
- Ambiguities
- Description sentence is truncated/incomplete
- 'When to Use' section contains repetitive phrasing ('deploying or configuring implementing siem')
- Step 6 refers to 'the agent' without defining what agent.py does or its source
QUALITY
- OVERALL
- 0.52
- CLARITY
- 0.72
- SPECIFICITY
- 0.68
- REUSABILITY
- 0.25
- COMPLETENESS
- 0.60
IMPROVEMENT SUGGESTIONS
- Replace hard-coded Splunk/Sigma specifics with placeholders so the prompt can be reused for other SIEMs
- Add explicit output format and success criteria for the generated correlation rules
- Fix truncated description and repetitive text in the 'When to Use' section
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR SECURITY ANALYST
- Ransomware Network Indicators Analyzersecurity analystsecurity
- APT TTP Mapping with MITRE Navigatorsecurity analystsecurity
- Linux Persistence Mechanisms Analyzersecurity analystsecurity
- Azure AD Lateral Movement KQL Detectorsecurity analystsecurity
- Kerberos Golden Ticket Forgery Detectorsecurity analystsecurity
- LOLBAS Abuse Detection with Sigma Rulessecurity analystsecurity
- Shadow IT Cloud Usage Detectorsecurity analystsecurity
- Registry Run Key Persistence Detection Guidesecurity analystsecurity
- Detect Risky OAuth Consent Grants in Entra IDsecurity analystsecurity
- Windows Service Installation Threat Huntersecurity analystsecurity
- Web Server Log Intrusion Analyzersecurity analystsecurity
- RDP Brute Force Event Log Analyzersecurity analystsecurity
- Rekall Memory Forensics Artifact Extractorsecurity analystsecurity
- Azure Activity Logs Threat Analyzersecurity analystsecurity
- Scapy Network Packet Analysis Guidesecurity analystsecurity
- TLS Certificate Transparency Log Analyzersecurity analystsecurity
- Cobalt Strike Malleable C2 Profile Analyzersecurity analystsecurity
- Email Account Compromise Detection Proceduressecurity analystsecurity
- Credential Stuffing Auth Log Analyzersecurity analystsecurity
- MISP Threat Intelligence Sharing with PyMISPsecurity analystsecurity
- MISP Threat Landscape Analysis Guidesecurity analystsecurity
- Malicious Scheduled Task Sysmon Detectorsecurity analystsecurity
- Kerberos Pass-the-Ticket Attack Detectorsecurity analystsecurity
- NTLM Relay Attack Event Log Analyzersecurity analystsecurity
- Linux Memory Forensics with LiME and Volatilitysecurity analystsecurity