added triage guides

Author: aring87

content/triage-guides/sentinel/discovery/dns-enumeration-via-command-line-tools.md

@@ -0,0 +1,98 @@
+# Triage Guide: DNS Enumeration via Command-Line Tools
+
+## Detection Title
+DNS Enumeration via Command-Line Tools
+
+## Objective
+
+This detection identifies execution of command-line utilities commonly used to perform DNS-based enumeration and external lookup activity. These tools may be used to discover hosts, domains, name servers, or public-facing infrastructure.
+
+## Why It Matters
+
+Attackers often use DNS utilities early in an intrusion to:
+- resolve internal or external hosts
+- identify name servers
+- gather domain information
+- validate command-and-control infrastructure
+- map reachable services or systems
+
+This behavior is not inherently malicious, but it becomes more concerning when used from unusual hosts, by unusual users, or alongside other discovery or staging activity.
+
+## Alert Logic Summary
+
+The rule is intended to identify use of command-line DNS enumeration tooling such as:
+- `nslookup`
+- `dig`
+- `host`
+- `whois`
+
+depending on the exact detection logic in the paired rule.
+
+## Initial Triage Questions
+
+- Which tool was used?
+- Who executed it?
+- Was the execution on a user workstation, admin host, server, or test box?
+- Was the target internal or external?
+- Is this expected for the user’s role?
+- Did the same user or host also perform other discovery actions?
+
+## Investigation Steps
+
+1. Review the full process command line.
+2. Identify the executing account and host role.
+3. Determine which domains, hosts, or IPs were being queried.
+4. Assess whether the tool usage was:
+   - normal troubleshooting
+   - administrator activity
+   - security testing
+   - broad reconnaissance
+5. Look for related discovery activity on the same device:
+   - `ipconfig`
+   - `arp`
+   - `net`
+   - `nltest`
+   - `dsquery`
+   - `systeminfo`
+6. Review whether the activity is followed by:
+   - remote access attempts
+   - outbound connections
+   - PowerShell execution
+   - suspicious downloads
+
+## Common False Positives
+
+- administrator troubleshooting
+- network diagnostics
+- help desk activity
+- server configuration checks
+- approved security or infrastructure testing
+
+## Escalation Guidance
+
+Escalate when:
+- the user is not expected to perform network enumeration
+- the host is a normal user workstation
+- the same system shows other discovery or execution behaviors
+- the queries target suspicious or attacker-controlled domains
+- the activity appears broad, repeated, or scripted
+
+## Recommended Enrichment
+
+- full command line
+- queried domains or IPs
+- process tree
+- user role
+- host criticality
+- recent discovery commands on the same host
+- recent outbound connections
+
+## ATT&CK Mapping
+
+- Discovery
+- T1016 – System Network Configuration Discovery
+- T1590 / T1596 style pre-attack or recon behaviors, depending on exact usage context
+
+## Related Rule
+
+- `detections/sentinel/discovery/dns-enumeration-via-command-line-tools.yml`

content/triage-guides/sentinel/discovery/ldap-enumeration-using-powershell.md

@@ -0,0 +1,98 @@
+# Triage Guide: LDAP Enumeration Using PowerShell
+
+## Detection Title
+LDAP Enumeration Using PowerShell
+
+## Objective
+
+This detection identifies PowerShell-based LDAP or Active Directory enumeration activity that may be used to collect information about users, groups, computers, trusts, or organizational structure.
+
+## Why It Matters
+
+LDAP and AD enumeration are common attacker discovery activities used to:
+- identify users and privileged accounts
+- discover groups and roles
+- locate servers or domain controllers
+- map trust relationships
+- prepare for lateral movement or privilege escalation
+
+PowerShell-based LDAP enumeration is especially important when used from non-admin hosts or by users who do not normally perform directory queries.
+
+## Alert Logic Summary
+
+The rule is intended to identify PowerShell commands or patterns associated with LDAP / AD enumeration, such as:
+- `[ADSISearcher]`
+- `Get-ADUser`
+- `Get-ADComputer`
+- `Get-ADGroup`
+- LDAP query strings
+- PowerShell-based directory search methods
+
+## Initial Triage Questions
+
+- Was the query executed by an admin, engineer, or normal user?
+- Was the host expected to perform directory administration?
+- Was the PowerShell use interactive, scripted, or remote?
+- Did the same session include account enumeration or privileged-group discovery?
+- Was the activity followed by authentication attempts or remote execution?
+
+## Investigation Steps
+
+1. Review the full PowerShell command line.
+2. Identify the executing account and host type.
+3. Determine the scope of enumeration:
+   - users
+   - groups
+   - computers
+   - trusts
+   - domain structure
+4. Check whether the activity aligns with the user’s normal role.
+5. Review surrounding PowerShell activity for:
+   - encoded commands
+   - AMSI or logging tampering
+   - remote execution
+   - credential access
+6. Review whether the same host or account later attempted:
+   - NTLM auth probing
+   - WMI / PSRemoting
+   - group membership enumeration
+   - admin share access
+
+## Common False Positives
+
+- legitimate AD administration
+- identity engineering workflows
+- PowerShell-based inventory scripts
+- help desk scripts
+- authorized security assessments
+
+## Escalation Guidance
+
+Escalate when:
+- the activity is from a non-admin workstation
+- the user is not expected to enumerate AD
+- the activity appears broad or scripted
+- it is followed by credential access or lateral movement
+- the PowerShell execution context is suspicious
+
+## Recommended Enrichment
+
+- full command line
+- PowerShell script block logs if available
+- user role and privilege level
+- host role
+- parent process
+- subsequent logon or remote execution activity
+- related group / trust / account discovery commands
+
+## ATT&CK Mapping
+
+- Discovery
+- T1087 – Account Discovery
+- T1069 – Permission Group Discovery
+- T1482 – Domain Trust Discovery
+- T1018 / T1082 depending on scope
+
+## Related Rule
+
+- `detections/sentinel/discovery/ldap-enumeration-using-powershell.yml`

content/triage-guides/sentinel/discovery/net-group-and-domain-trust-discovery.md

@@ -0,0 +1,95 @@
+# Triage Guide: Net Group and Domain Trust Discovery
+
+## Detection Title
+Net Group and Domain Trust Discovery
+
+## Objective
+
+This detection identifies use of commands associated with group enumeration, domain trust discovery, and related domain reconnaissance.
+
+## Why It Matters
+
+Attackers use group and trust discovery to:
+- identify privileged groups
+- understand domain relationships
+- map administrative boundaries
+- identify paths for lateral movement
+- identify high-value identity targets
+
+This type of activity is especially relevant in enterprise and domain environments.
+
+## Alert Logic Summary
+
+The rule is intended to identify execution of commands such as:
+- `net group`
+- `net group /domain`
+- `nltest`
+- trust-discovery-related commands
+- similar domain-recon patterns
+
+## Initial Triage Questions
+
+- Was the command focused on local groups, domain groups, or trust relationships?
+- Is the user expected to perform domain administration?
+- Did the host also show other AD or account discovery activity?
+- Did the same session include remote admin or credential access behavior?
+- Was the activity interactive or launched by a script/tool?
+
+## Investigation Steps
+
+1. Review the full command line.
+2. Identify whether the target was:
+   - domain groups
+   - admin groups
+   - trust relationships
+   - domain metadata
+3. Review the executing account and host.
+4. Determine whether the activity aligns with normal IT/admin duties.
+5. Review nearby activity for:
+   - `net user`
+   - `whoami /groups`
+   - PowerShell AD enumeration
+   - `dsquery`
+   - `nltest /domain_trusts`
+6. Check for follow-on signs of:
+   - privileged access attempts
+   - lateral movement
+   - share enumeration
+   - service or task creation
+
+## Common False Positives
+
+- domain administration
+- troubleshooting trust issues
+- identity engineering work
+- server onboarding / migration activity
+- approved security validation
+
+## Escalation Guidance
+
+Escalate when:
+- the user is not expected to perform domain discovery
+- the command targets privileged groups or trust relationships
+- the host is a normal workstation
+- the activity is part of a broader discovery burst
+- it is followed by authentication or movement attempts
+
+## Recommended Enrichment
+
+- full command line
+- queried group / trust details
+- user role
+- host sensitivity
+- adjacent discovery commands
+- related authentication events
+- parent process / script context
+
+## ATT&CK Mapping
+
+- Discovery
+- T1069 – Permission Group Discovery
+- T1482 – Domain Trust Discovery
+
+## Related Rule
+
+- `detections/sentinel/discovery/net-group-and-domain-trust-discovery.yml`

content/triage-guides/sentinel/discovery/net-user-enumeration.md

@@ -0,0 +1,88 @@
+# Triage Guide: Net User Enumeration
+
+## Detection Title
+Net User Enumeration
+
+## Objective
+
+This detection identifies use of `net user` and related commands to enumerate local or domain user accounts.
+
+## Why It Matters
+
+Account enumeration is a common discovery step used to:
+- identify valid usernames
+- identify privileged or service accounts
+- prepare for password spraying
+- prepare for lateral movement
+- validate targeting opportunities
+
+This command is legitimate in administration, but it is also frequently used by attackers after initial access.
+
+## Alert Logic Summary
+
+The rule is intended to identify use of:
+- `net user`
+- `net user /domain`
+- related account-discovery commands
+
+## Initial Triage Questions
+
+- Who ran `net user`?
+- Was it run on a workstation, server, or admin host?
+- Was the command local-only or domain-focused?
+- Does the user normally perform account administration?
+- Were there additional discovery commands nearby?
+
+## Investigation Steps
+
+1. Review the full command line.
+2. Identify whether the query targeted:
+   - local users
+   - domain users
+3. Determine the user and host context.
+4. Review neighboring process activity for:
+   - `net group`
+   - `whoami`
+   - `nltest`
+   - `dsquery`
+   - PowerShell AD queries
+5. Check whether the same account or host later attempted:
+   - failed logons
+   - remote execution
+   - privilege escalation
+6. Determine whether the activity was interactive or launched from a script/tool.
+
+## Common False Positives
+
+- legitimate admin troubleshooting
+- help desk checks
+- server build/configuration workflows
+- account administration scripts
+
+## Escalation Guidance
+
+Escalate when:
+- the activity is performed by a non-admin user
+- it originates from a suspicious or recently compromised host
+- it is one step in a larger discovery burst
+- it is followed by password spraying or lateral movement
+- the user cannot explain the action
+
+## Recommended Enrichment
+
+- full command line
+- user account and privilege level
+- host type
+- nearby discovery commands
+- related failed/successful logons
+- parent process
+- interactive vs scripted execution context
+
+## ATT&CK Mapping
+
+- Discovery
+- T1087 – Account Discovery
+
+## Related Rule
+
+- `detections/sentinel/discovery/net-user-enumeration.yml`