# Persona: Greenfield startup, week 1 of detection # ------------------------------------------------------------------ # A 30-person startup that just deployed CrowdStrike Falcon to all # laptops and that's it. No SIEM, no log aggregation, no network # instrumentation, no cloud audit beyond the default AWS CloudTrail # trail nobody reads. Use this as the "before" picture against which # the mature-enterprise persona is the "after". Lots of red on the # Navigator heatmap -- useful to drive a conversation about what # additional sources would unlock the most coverage. # ------------------------------------------------------------------ version: 1.3 file_type: data-source-administration name: Greenfield startup systems: - applicable_to: all description: 30 employees, MacOS + Windows laptops, AWS prod log_sources: # ---- EDR-derived telemetry on every laptop (CrowdStrike Falcon) ---- # Falcon emits the equivalent of these channels — score reflects what # we can actually query / pivot on, not what the agent can theoretically # produce. - { name: sysmon, channel: "1", score: 4, comment: "Falcon process events" } - { name: sysmon, channel: "5", score: 3, comment: "Process termination" } - { name: sysmon, channel: "10", score: 1, comment: "Process Access (Falcon-derived, sparse)" } - { name: sysmon, channel: "7", score: 2, comment: "Module Load (Falcon-derived)" } - { name: sysmon, channel: "11", score: 3, comment: "File Create" } - { name: sysmon, channel: "3", score: 2, comment: "Network Connection (host-side only)" } # ---- Linux dev boxes with auditd defaults ---- - { name: auditd, channel: execve, score: 2, comment: "Default audit rules, not centralized" } - { name: auditd, channel: WRITE, score: 1, comment: "Sparse" } # ---- AWS CloudTrail enabled but unmonitored ---- - { name: aws-cloudtrail, channel: management, score: 1, comment: "Default trail, not shipped to a SIEM" } # ---- Identity: Google Workspace audit, queried ad-hoc ---- - { name: application-log, channel: generic, score: 1, comment: "GSuite audit accessed via console only" }