BLUE TEAM – Page 5 – NetwerkLABS

DETECT Threat Detection and Incident Response BLUE TEAM

Analysis with Wireshark

TShark VS. Wireshark (Terminal vs. GUI) TShark is a purpose-built terminal tool based on Wireshark. TShark shares many of the same features that are included in Wireshark and even shares syntax and options. TShark is perfect…

Bharath Narayanasamy wireshark

Cheat Sheets IDENTIFY DETECT

TCPDump

Locate tcpdump which tcpdump Install TCPdump sudo apt install tcpdump Tcpdump Version Validation sudo tcpdump --version TCPDump will resolve IPs to hostnames by default. Traffic Captures with Tcpdump Basic Capture Options Switch CommandResultDWill display any interfaces…

Bharath Narayanasamy tcpdump

DETECT Elastic SIEM

Elastic SIEM: Developing Dashboards & Visualization

Use case 1: Failed Logon Attempts (Disabled Users) https://youtu.be/7Uyqek-FdwI Use case 2: Failed Logon Attempts (using Admin Accounts) https://youtu.be/UGRmsoqk0EM Use case 3: Successful RDP Logon Related To Service Accounts https://youtu.be/eRjA6TpEryk Use case 4: Users Added Or…

Bharath Narayanasamy SIEM, Elastic, Threat_hunting

BLUE TEAM DETECT Elastic SIEM

SIEM Use cases

How To Build SIEM Use Cases Comprehend your needs, risks, and establish alerts for monitoring all necessary systems accordingly. Determine the priority and impact, then map the alert to the kill chain or MITRE framework. Establish…

Bharath Narayanasamy SIEM, Elastic, Usecase

BLUE TEAM Intrusion Detection and Response

Log Management: Basics

Introduction to Log Management Logs are a record of events within a system. These records provide a detailed account of what a system has been doing, capturing a wide range of events such as user logins,…

Bharath Narayanasamy

NIST DETECT

NIST – DETECT: Categories and Subcategories

Bharath Narayanasamy

NIST IDENTIFY

NIST – IDENTIFY: Categories and Subcategories

Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.

Bharath Narayanasamy NIST, IDENTIFY

NIST

NIST Cybersecurity Framework v1.1: Fundamentals

NIST Functions Identify – Understand what you have and includes activities such as asset management, governance, risk assessment. Protect – Build safeguards and controls to protect what is important to you. Detect – Implement capabilities to…

Bharath Narayanasamy NIST

Splunk Splunk Basics Investigating with Splunk

Splunk: SPL Cheat Sheet for SOC Analysts

Splunk Cheat Sheet Query to identify failed login attempts: #Query to identify failed login attempts: sourcetype=auth* "authentication failure" | stats count by user | sort -count Query to identify privilege escalation attempts: #Query to identify privilege…

Bharath Narayanasamy splunk, SPL

Splunk

Splunk Fundamentals

Splunk Components Splunk Forwarder Splunk Forwarder is a lightweight agent installed on the endpoint intended to be monitored, and its main task is to collect the data and send it to the Splunk instance. Splunk Indexer Splunk…

Bharath Narayanasamy