Windows Security Log Quick Reference

This entry is part 20 of 25 in the series Threat Detection Engineering

Views: 3🛡️ For Cybersecurity Defensive Operations and IR/Threat Hunting 🔐 Authentication Events 🗝️ Account Management Events 📂 Object Access Events ✅ Note: Requires enabling object auditing via GPO and SACLs. 🧰 Privilege Use and Logon Types PRO Tip: Use Logon Type + Event 4624/4625 to spot RDP logins, scheduled tasks, or lateral movement attempts. ⚙️ … Read more

SIEM: Onboarding WIndows Servers

This entry is part 19 of 25 in the series Threat Detection Engineering

Views: 31When integrating Windows servers into your Security Information and Event Management (SIEM) platform, selecting the right log sources is crucial for effective threat detection while maintaining optimal system performance. This comprehensive guide outlines the essential Windows event logs to collect, explains their security significance, and provides a ready-to-deploy PowerShell script for configuration.

Data Manipulation in Splunk: PART II

This entry is part 10 of 4 in the series Splunk 101

Views: 22Event Boundaries Event breaking in Splunk refers to breaking raw data into individual events based on specified boundaries. Splunk uses event-breaking rules to identify where one event ends, and the next begins. In the PART I of this series, we have created a TestApp which is placed at /opt/splunk/etc/apps/TestApp/. Please follow this link to read the PART I article. … Read more

Data Manipulation in Splunk: PART I

This entry is part 9 of 4 in the series Splunk 101

Views: 31Splunk Log Parsing and Transformation Configuration Splunk needs to be properly configured to parse and transform the logs appropriately. Some of the issues being highlighted are: Splunk Data Parsing Guide Data parsing in Splunk involves extracting relevant fields and transforming the data into a structured format for efficient analysis. Step 1: Understand the Data … Read more

Regular Expressions

This entry is part 8 of 4 in the series Splunk 101

Views: 10Regular Expressions: Charsets Searching for Specific Strings Charsets in Regex Using Ranges Matching and Excluding Patterns Important Notes Regular Expressions: Wildcards and Optional Characters Wildcard Matching (. Dot) Optional Characters (? Question Mark) Matching a Literal Dot (\.) Regular Expressions: Line Anchors and Grouping Line Anchors Important Note: Grouping and Either/Or (|) Repeating Groups … Read more

Snort 101 (Part 01)

This entry is part 2 of 4 in the series Instrusion Detection and Prevention

Views: 34Intrusion Detection System (IDS) IDS is a passive monitoring solution for detecting possible malicious activities/patterns, abnormal incidents, and policy violations. It is responsible for generating alerts for each suspicious event.  There are two main types of IDS systems; Intrusion Prevention System (IPS) IPS is an active protecting solution for preventing possible malicious activities/patterns, abnormal incidents, and policy violations. … Read more

Splunk SIEM: Search Processing Language (SPL) Basics

This entry is part 7 of 4 in the series Splunk 101

Views: 134Splunk Search Processing Language comprises of multiple functions, operators and commands that are used together to form a simple to complex search and get the desired results from the ingested logs. Main components of SPL Search Field Operators Comparison Operators These operators are used to compare the values against the fields. Field Name Operator … Read more

 Ship OPNSense Firewall Logs To Splunk SIEM

Views: 185Shipping OPNsense firewall logs to Splunk centralizes log management, allowing for seamless consolidation with other network and system logs. This integration enhances visibility into network traffic, enabling the identification of threats like port scans, malware communication, or brute force attacks. By correlating OPNsense logs with logs from other sources, organizations can perform faster root … Read more

(TryHackMe) Servidae: Log Analysis in ELK

This entry is part 1 of 4 in the series TryHackMe

Views: 814Link to the TryHackMe Room; https://tryhackme.com/r/room/servidae Room Objectives: In this room, we will analyze the log data from a compromised workstation using the Kibana interface. Within this room’s tasks, we will explore the components of the Elastic (ELK) Stack and gain insights into the various search and filter functions available in Kibana. Our ultimate … Read more

Log Analysis: Basics

This entry is part 17 of 25 in the series Threat Detection Engineering

Views: 79Understanding Logs in Infrastructure Systems Logs and Their Role Log Analysis What Are Logs? Definition Log Entry Components Sample Log Analysis Importance of Logs 1. System Troubleshooting 2. Cybersecurity Incident Response 3. Threat Hunting 4. Compliance Types of Logs in Computing Environments Integrative Analysis Data Visualization Data visualization tools, such as Kibana (of the … Read more