Analytics Repository

The following examples demonstrate how to score and improve an analytic in accordance with the Summiting the Pyramid methodology.

• Suspicious ADFind
• Scheduled Task/Job
• Service Registry Permissions Weakness Check
• Potential Access Token Abuse
• Executable (EXE) File Download from a WebDAV Server
• Link (LNK) File Download Containing a WebDAV UNC Hyperlink
• Remote Registry Management Using Reg Utility
• File Creation Date Changed to Another Year
• Zeek DCE-RPC MITRE BZAR Execution

Scored Analytics Repository:

There is also a published CSV file that contains analytics that have been scored with the methodology: ScoredAnalytics

Submitting an Analytic:

The Summiting team is looking for analytics which have been scored or improved by the community for our Scored Analytics Repository.

If you are interested in contributing to our repository, please submit a request on GitHub with the following information:

• Analytic schema (Sigma, Splunk, Elastic, etc.)

• Log source (Windows process creation, file event, etc.)

• Detection analytic with detection logic (AND, OR)

• The score for your analytic with a brief explanation

• Scorer

Score your own analytics in Sigma!

Sigma now has a tag to document the STP score of an analytic. Checkout the Sigma tags appendix to learn more.