We get flooded with many different tools and technologies, whether open source or commercial, but one important question to ask ourselves is: “In the case of an incident, what tools will actually get the job done”?
How do we know if our SOC is equipped with the right tool when an incident occurs?
This blog post presents one of the ways to leverage Purple Teaming to stress test our technologies of choice and determine the gaps to meet the SLA, SLO, SLI.
Objective
We wanted to test the following:
- SLA: Data Ingestion for Incident Detection and Response within 2 hour
- SLO & SLI:
- Time to ingest: 30 hour
- Time to parse: 30 hour
- Time to detect: 1 hour
- What tools perform best and worst?
- How do we improve?
Data of interest
- wineventlog
- custom winevent ingestion
Tools to assess
- Splunk
- Devo
- Cortex XDR
Purple Team Operation
For this Purple Team Operation, we emulated the attacks to “abuse activity directory certificate services”, which was derived from the white-paper published by SpecterOps
https://specterops.io/assets/resources/Certified_Pre-Owned.pdf
Our Attack emulation:
Results
We compared the three tools that we relied on for detection & response. Here are the results:
None of the tools met our defined SLA, SLO, and SLI
What can we do to improve to meet the defined SLA?
