Blue team

Overview

The blue team defends an organization’s assets: hardening systems, monitoring for malicious activity, investigating alerts, and improving controls based on lessons learned. Blue work pairs with purple team exercises that align detection with realistic attacker techniques.

Key concepts

Preventive controls — Patch management, secure configuration, IAM, segmentation.
Detective controls — Logging, SIEM rules, EDR, IDS/IPS, deception.
Threat intelligence — IOCs and TTPs mapped to MITRE ATT&CK.
Tabletop & purple — Validate playbooks against red/purple scenarios.
Metrics — MTTD, MTTR, coverage of critical assets, patch SLAs.

Detection pipeline

Sample: Sigma-style rule sketch (illustrative)

title: Suspicious PowerShell encoded command
logsource:
  product: windows
  service: powershell
detection:
  selection:
    ScriptBlockText|contains:
      - '-enc '
      - '-encodedcommand'
  condition: selection
level: medium

References

MITRE ATT&CK
SANS — Blue Team resources
Sigma detection format

Overview​

Key concepts​

Detection pipeline​

Sample: Sigma-style rule sketch (illustrative)​

References​

Overview

Key concepts

Detection pipeline

Sample: Sigma-style rule sketch (illustrative)

References