Intrusion Detection and Response
Splunk SPL 101
Views: 13
Practical Threat Hunting using Elastic SIEM: Hunting for Stuxbot
Views: 218Based on the INTRODUCTION TO THREAT HUNTING & HUNTING WITH ELASTIC module from HTB-Academy Hunting for Stuxbot The Stuxbot cybercrime group operates with a broad scope, seizing upon opportunities as they arise, without any specific targeting strategy – their motto seems to be anyone, anytime. The primary motivation behind their actions appears to be espionage … Read more
Elastic SIEM: Developing Dashboards & Visualization
Views: 27Use case 1: Failed Logon Attempts (Disabled Users) Use case 2: Failed Logon Attempts (using Admin Accounts) Use case 3: Successful RDP Logon Related To Service Accounts Use case 4: Users Added Or Removed From A Local Group
SIEM Use cases
Views: 18How To Build SIEM Use Cases Example SIEM Use cases Use case 1: Microsoft Build Engine Started By An Office Application A practical example using the Elastic stack as a SIEM solution to help understand how to map each of the use case points listed above. MSBuild, part of the Microsoft Build Engine, is … Read more
Log Management: Basics
Views: 12Introduction to Log Management Logs are a record of events within a system. These records provide a detailed account of what a system has been doing, capturing a wide range of events such as user logins, file accesses, system errors, network connections, and changes to data or system configurations. While the specific details may … Read more
Splunk: SPL Cheat Sheet for SOC Analysts
Views: 32Splunk Cheat Sheet Query to identify failed login attempts: Query to identify privilege escalation attempts: Query to identify failed SSH attempts: Query to identify successful SSH attempts: Query to identify unusual network traffic: Query to identify suspicious processes: Query to identify brute force attacks: Query to identify privilege escalation attempts on Windows systems: Query … Read more
Splunk Fundamentals
Views: 14Splunk Components Splunk Forwarder Splunk Forwarder is a lightweight agent installed on the endpoint intended to be monitored, and its main task is to collect the data and send it to the Splunk instance. Splunk Indexer Splunk Indexer plays the main role in processing the data it receives from forwarders. It takes the data, normalizes … Read more
Suricata rules to detect Web application attacks
Views: 84Here are some examples of Suricata rules that can be used to detect web application attacks: 1. SQL Injection: 2. Cross-Site Scripting (XSS): 3. Remote File Inclusion (RFI): 4. Local File Inclusion (LFI): 5. Command Injection: 6. Server-Side Request Forgery (SSRF): These are just a few examples, and you can modify or create additional … Read more