Key Takeaways
- Visibility is the foundation of defense
- Detection engineering creates actionable alerts
- Threat hunting finds what alerts miss
- Purple teaming validates defenses
Contents
1. Blue Team Fundamentals
Blue teams defend organizations from cyber threats through prevention, detection, and response. Success requires understanding both defensive technologies and adversary techniques.
Core Capabilities
- Prevention: Hardening, patching, access control
- Detection: SIEM, EDR, network monitoring
- Response: Incident handling, containment
- Recovery: Restoration, lessons learned
2. Achieving Visibility
Critical Data Sources
# Windows logs to collect:
# - Security (4624, 4625, 4688, 4697, 4698, 4720)
# - PowerShell (4103, 4104)
# - Sysmon (1, 3, 7, 8, 10, 11, 22)
# Enable PowerShell logging
# Module logging + Script block logging
# Deploy Sysmon with SwiftOnSecurity config
sysmon -i sysmonconfig-export.xml
# Network visibility:
# - Zeek/Bro for network metadata
# - VPC flow logs (cloud)
# - DNS query logging
# - Proxy logs3. Detection Engineering
# Detection-as-Code approach
# Store rules in Git, test in CI/CD
# Sigma rule example
title: Suspicious PowerShell Download
logsource:
product: windows
service: powershell
detection:
selection:
ScriptBlockText|contains:
- 'IEX'
- 'Invoke-Expression'
- 'DownloadString'
condition: selection
level: high
# Convert Sigma to SIEM query
sigmac -t splunk rule.yml
sigmac -t elastalert rule.ymlDetection Categories
- Signature: Known IOCs, hashes, strings
- Behavioral: Suspicious patterns, anomalies
- Heuristic: Rule-based logic
- ML/Analytics: Baseline deviation
4. EDR Operations
# EDR capabilities:
# - Process monitoring
# - File integrity
# - Network connections
# - Registry changes
# - Memory analysis
# - Automated response
# Key detection points:
# - Parent-child process relationships
# - Command-line arguments
# - DLL loading
# - Unsigned binaries
# - Living-off-the-land binaries (LOLBins)5. Threat Hunting
# Hypothesis-driven hunting
# Step 1: Form hypothesis based on threat intel
# Step 2: Identify data sources
# Step 3: Execute hunt query
# Step 4: Analyze results
# Step 5: Document findings
# Example hunts:
# Hunt for persistence mechanisms
index=windows EventCode=4698 OR EventCode=4697
| where NOT match(TaskName, "Microsoft|Windows")
# Hunt for unusual parent-child
index=sysmon EventCode=1
ParentImage="*\\excel.exe"
Image!="*\\splwow64.exe"
# Hunt for encoded PowerShell
index=windows EventCode=4104
| where match(ScriptBlockText, "-enc|-e ")6. Incident Response Integration
- Playbooks: Documented response procedures
- SOAR: Automated response actions
- Containment: Isolate affected systems
- Evidence: Preserve for forensics
7. System Hardening
Windows Hardening
# Disable LLMNR/NBT-NS
# Disable SMBv1
# Enable Credential Guard
# Configure LAPS
# Implement tiered admin model
# Block Office macros from internet
# Enable ASR rules
# Restrict PowerShell with Constrained Language Mode8. Security Metrics
- MTTD: Mean Time To Detect
- MTTR: Mean Time To Respond
- Alert volume: Total vs actionable
- False positive rate: Noise in alerts
- Coverage: ATT&CK techniques detected
FAQ
How do I start in blue team?
Learn Windows internals, study MITRE ATT&CK, set up a home lab with SIEM/EDR, practice with detection challenges, and get comfortable with log analysis.