Operations & ComplianceIntermediate
Security Monitoring Setup
Automate security monitoring, threat detection, incident response, and compliance workflows
#security#monitoring#siem#incident-response#compliance
Security alerts pile up faster than your team can triage them, and manual log review misses critical threats buried in noise. This playbook automates security monitoring setup, threat detection rules, incident response playbooks, and compliance reporting workflows.
Who it's for: security engineers building automated threat detection and alerting pipelines, DevSecOps teams integrating security monitoring into CI/CD and infrastructure, compliance officers automating evidence collection for SOC2 and ISO 27001 audits, SOC analysts reducing alert fatigue with better correlation and triage rules, IT managers setting up security monitoring for growing organizations
Example
"Set up security monitoring for our cloud infrastructure" → Security pipeline: log aggregation configuration for AWS CloudTrail and VPC flow logs, detection rule creation for common attack patterns (brute force, privilege escalation, data exfiltration), automated alert routing with severity-based escalation, incident response runbook generation, and compliance dashboard for audit readiness
CLAUDE.md Template
New here? 3-minute setup guide → | Already set up? Copy the template below.
# Security Monitoring
Comprehensive workflow for security monitoring, threat detection, and incident response automation.
## Core Architecture
### Security Monitoring Stack
```
SECURITY MONITORING ARCHITECTURE:
┌─────────────────────────────────────────────────────────┐
│ DATA SOURCES │
├──────────┬──────────┬──────────┬──────────┬────────────┤
│ Firewall │ Endpoint │ Cloud │ Network │ Application│
│ Logs │ Logs │ Logs │ Traffic │ Logs │
└────┬─────┴────┬─────┴────┬─────┴────┬─────┴─────┬──────┘
│ │ │ │ │
└──────────┴──────────┴────┬─────┴───────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ LOG AGGREGATION │
│ (SIEM / Security Data Lake) │
└────────────────────────┬────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ DETECTION ENGINE │
│ • Rule-based Detection • ML Anomaly Detection │
│ • Correlation Rules • Threat Intelligence │
└────────────────────────┬────────────────────────────────┘
▼
┌─────────────────────────────────────────────────────────┐
│ RESPONSE & ACTION │
│ • Alerting • Automated Response │
│ • Ticketing • Containment │
└─────────────────────────────────────────────────────────┘
```
## Detection Rules
### Rule Categories
```yaml
detection_rules:
authentication:
- name: brute_force_login
description: "Multiple failed login attempts"
query: |
event.type == "authentication" AND
event.outcome == "failure" AND
COUNT(*) > 5 WITHIN 5 minutes
GROUP BY source.ip
severity: high
actions:
- create_alert
- block_ip_temporarily
- name: impossible_travel
description: "Login from geographically distant locations"
query: |
event.type == "authentication" AND
event.outcome == "success" AND
geo_distance(prev_location, current_location) > 500km AND
time_diff < 1 hour
severity: critical
actions:
- create_alert
- require_mfa_verification
- notify_user
data_exfiltration:
- name: large_data_transfer
description: "Unusual data egress volume"
query: |
event.type == "network" AND
direction == "outbound" AND
bytes_transferred > 100MB WITHIN 1 hour
GROUP BY user.id
severity: medium
actions:
- create_alert
- capture_network_session
malware:
- name: known_malware_hash
description: "File matches known malware signature"
query: |
event.type == "file" AND
file.hash.sha256 IN threat_intelligence.malware_hashes
severity: critical
actions:
- quarantine_file
- isolate_endpoint
- create_incident
```
### Correlation Rules
```yaml
correlation_rules:
- name: lateral_movement_detection
description: "Detect potential lateral movement"
events:
- type: authentication_success
from: internal_network
- type: process_execution
name: ["psexec", "wmic", "powershell"]
within: 5_minutes
- type: network_connection
to: different_internal_host
within: 10_minutes
severity: high
- name: privilege_escalation_chain
description: "Detect privilege escalation attempts"
events:
- type: authentication
account_type: standard_user
- type: process_execution
elevated: true
within: 30_minutes
- type: account_modification
action: add_to_admin_group
within: 1_hour
severity: critical
```
## Alert Management
### Alert Configuration
```yaml
alert_config:
severity_levels:
critical:
response_time: 15_minutes
notifications:
- pagerduty: security_oncall
- slack: "#security-critical"
- email: security-team@company.com
auto_escalation: 30_minutes
high:
response_time: 1_hour
notifications:
- slack: "#security-alerts"
- email: security-team@company.com
medium:
response_time: 4_hours
notifications:
- slack: "#security-alerts"
low:
response_time: 24_hours
notifications:
- ticket_only: true
deduplication:
enabled: true
window: 1_hour
key_fields:
- rule_id
- source.ip
- destination.ip
```
### Alert Template
```yaml
alert_template:
title: "[{{severity}}] {{rule_name}}"
body: |
## Security Alert
**Rule:** {{rule_name}}
**Severity:** {{severity}}
**Time:** {{timestamp}}
### Details
- **Source IP:** {{source.ip}}
- **Source User:** {{user.name}}
- **Destination:** {{destination.ip}}
- **Action:** {{event.action}}
### Context
{{event_context}}
### Recommended Actions
{{#each recommended_actions}}
- {{this}}
{{/each}}
### Related Events
{{related_events_link}}
```
## Incident Response
### Incident Workflow
```
INCIDENT RESPONSE WORKFLOW:
┌─────────────────┐
│ Detection │
│ (Alert Fired) │
└────────┬────────┘
▼
┌─────────────────┐
│ Triage │
│ - Validate │
│ - Classify │
│ - Prioritize │
└────────┬────────┘
▼
┌─────────────────┐
│ Containment │
│ - Isolate │
│ - Block │
│ - Preserve │
└────────┬────────┘
▼
┌─────────────────┐
│ Investigation │
│ - Collect │
│ - Analyze │
│ - Correlate │
└────────┬────────┘
▼
┌─────────────────┐
│ Eradication │
│ - Remove │
│ - Patch │
│ - Harden │
└────────┬────────┘
▼
┌─────────────────┐
│ Recovery │
│ - Restore │
│ - Verify │
│ - Monitor │
└────────┬────────┘
▼
┌─────────────────┐
│ Post-Incident │
│ - Document │
│ - Review │
│ - Improve │
└─────────────────┘
```
### Playbook Automation
```yaml
playbooks:
- name: ransomware_response
trigger:
alert_type: ransomware_detected
steps:
- name: isolate_endpoint
action: network_isolate
target: "{{affected_host}}"
- name: disable_account
action: disable_ad_account
target: "{{user.name}}"
- name: preserve_evidence
action: capture_memory_image
target: "{{affected_host}}"
- name: notify_stakeholders
action: send_notification
channels:
- security_team
- it_leadership
- legal_if_needed
- name: create_incident
action: create_ticket
priority: critical
template: ransomware_incident
- name: phishing_response
trigger:
alert_type: phishing_reported
steps:
- name: analyze_email
action: extract_iocs
extract:
- sender_address
- urls
- attachments
- name: check_recipients
action: query_email_logs
find: all_recipients
- name: block_sender
action: add_to_blocklist
target: "{{sender_address}}"
- name: remove_emails
action: delete_from_mailboxes
target: all_recipients
```
## Compliance Monitoring
### Compliance Frameworks
```yaml
compliance_checks:
pci_dss:
- requirement: "10.2.1"
description: "Log all access to cardholder data"
query: |
SELECT * FROM audit_logs
WHERE data_classification = 'cardholder'
AND timestamp > NOW() - INTERVAL '24 hours'
expected: all_access_logged
- requirement: "10.6.1"
description: "Review logs daily"
check: daily_log_review_completed
hipaa:
- requirement: "164.312(b)"
description: "Audit controls"
checks:
- audit_logging_enabled
- log_retention_6_years
- tamper_protection
soc2:
- control: "CC6.1"
description: "Logical access security"
checks:
- mfa_enabled
- password_policy_enforced
- access_reviews_quarterly
```
### Compliance Dashboard
```
COMPLIANCE STATUS DASHBOARD
═══════════════════════════════════════
PCI-DSS: ████████████░░░░ 92% ✓
HIPAA: ██████████████░░ 98% ✓
SOC 2: █████████████░░░ 95% ✓
GDPR: ████████████████ 100% ✓
FINDINGS BY SEVERITY:
Critical ░░░░░░░░░░░░░░░░ 0
High ██░░░░░░░░░░░░░░ 3
Medium ████░░░░░░░░░░░░ 8
Low ██████░░░░░░░░░░ 15
UPCOMING DEADLINES:
• Jan 30: Quarterly access review
• Feb 15: Penetration test scheduled
• Feb 28: Annual audit prep
```
## Security Metrics
### KPI Dashboard
```
SECURITY OPERATIONS METRICS
═══════════════════════════════════════
DETECTION:
MTTD (Mean Time to Detect): 4.2 hours
Alert Volume: 1,234/day
True Positive Rate: 78%
RESPONSE:
MTTR (Mean Time to Respond): 1.8 hours
Incidents Resolved: 23/week
SLA Compliance: 96%
COVERAGE:
Assets Monitored: 2,456/2,500 (98%)
Log Sources: 45 active
Detection Rules: 234 active
THREAT LANDSCAPE:
Blocked Attacks: 12,456/month
Vulnerabilities: 89 open
Patch Compliance: 94%
```
### Reporting
```yaml
reports:
- name: daily_security_briefing
schedule: "0 8 * * *"
recipients: security_team
sections:
- overnight_alerts
- active_incidents
- threat_intelligence_updates
- name: weekly_executive_summary
schedule: "0 9 * * 1"
recipients: leadership
sections:
- key_metrics
- significant_incidents
- risk_posture
- recommendations
- name: monthly_compliance_report
schedule: "0 9 1 * *"
recipients: compliance_team
sections:
- control_status
- audit_findings
- remediation_progress
```
## Best Practices
1. **Defense in Depth**: Multiple detection layers
2. **Least Privilege**: Minimize access rights
3. **Log Everything**: Comprehensive audit trails
4. **Automate Response**: Reduce MTTR
5. **Regular Testing**: Validate controls
6. **Threat Intelligence**: Stay informed
7. **Incident Drills**: Practice response
8. **Continuous Improvement**: Learn from incidentsREADME.md
What This Does
Comprehensive workflow for security monitoring, threat detection, and incident response automation.
Quick Start
Step 1: Create a Project Folder
mkdir -p ~/Documents/SecurityMonitoring
Step 2: Download the Template
Click Download above, then:
mv ~/Downloads/CLAUDE.md ~/Documents/SecurityMonitoring/
Step 3: Start Working
cd ~/Documents/SecurityMonitoring
claude
Best Practices
- Defense in Depth: Multiple detection layers
- Least Privilege: Minimize access rights
- Log Everything: Comprehensive audit trails
- Automate Response: Reduce MTTR
- Regular Testing: Validate controls
- Threat Intelligence: Stay informed
- Incident Drills: Practice response
- Continuous Improvement: Learn from incidents