Endpoint Detection and Response (EDR) : Lima Charlie (Part 01)

This entry is part 1 of 1 in the series Endpoint Detection and Response (EDR)

Views: 18Introduction to Endpoint Detection and Response (EDR) Endpoint Detection and Response (EDR) is a cybersecurity solution designed to detect, investigate, and respond to threats at the endpoint level. Endpoints include devices like laptops, desktops, servers, and mobile devices that connect to an organization’s network. These are often the primary targets for attackers, making them … Read more

SNORT 101 (Part 03)

This entry is part 13 of 4 in the series Instrusion Detection and Prevention

Views: 19Snort Rules Each rule should have a type of action, protocol, source and destination IP, source and destination port and an option. Remember, Snort is in passive mode by default. So most of the time, we will use Snort as an IDS. We will need to start “inline mode” to turn on IPS mode.  The Snort rule structure … Read more

SNORT 101 (Part 02)

This entry is part 14 of 4 in the series Instrusion Detection and Prevention

Views: 1SNORT in IDS/IPS mode IDS/IPS mode with parameter “-A” There are several alert modes available in snort; Only the “console” and “cmg” parameters provide alert information in the console. It is impossible to identify the difference between the rest of the alert modes via terminal. Differences can be identified by looking at generated logs.  IDS/IPS mode with parameter “-A console” … Read more

Snort 101 (Part 01)

This entry is part 2 of 4 in the series Instrusion Detection and Prevention

Views: 31Intrusion Detection System (IDS) IDS is a passive monitoring solution for detecting possible malicious activities/patterns, abnormal incidents, and policy violations. It is responsible for generating alerts for each suspicious event.  There are two main types of IDS systems; Intrusion Prevention System (IPS) IPS is an active protecting solution for preventing possible malicious activities/patterns, abnormal incidents, and policy violations. … Read more

Splunk SIEM: Search Processing Language (SPL) Basics

This entry is part 7 of 4 in the series Splunk 101

Views: 91Splunk Search Processing Language comprises of multiple functions, operators and commands that are used together to form a simple to complex search and get the desired results from the ingested logs. Main components of SPL Search Field Operators Comparison Operators These operators are used to compare the values against the fields. Field Name Operator … Read more

 Ship OPNSense Firewall Logs To Splunk SIEM

Views: 86Shipping OPNsense firewall logs to Splunk centralizes log management, allowing for seamless consolidation with other network and system logs. This integration enhances visibility into network traffic, enabling the identification of threats like port scans, malware communication, or brute force attacks. By correlating OPNsense logs with logs from other sources, organizations can perform faster root … Read more

Wazuh: VirusTotal Integration

Views: 68 Wazuh Integration with VirusTotal Overview Wazuh integrates with VirusTotal to detect malicious files via the File Integrity Monitoring (FIM) module. This allows inspection of monitored files for potential threats. About VirusTotal Create an account in VirusTotal website and obtain a public key to use in this lab. How Wazuh Integration Works Configuration Steps … Read more

Operationalizing Security: CALDERA Meets WAZUH (PART II)

This entry is part 2 of 14 in the series Red Team Engagements

Views: 142Adversary emulation with Caldera and Wazuh Please visit here to read PART I of this series, which explains the Caldera setup and Windows agent installation. Agent setup Deploy Agents on Linux machines Now, the lab consists of 2 Windows victims and 1 Linux victim, as reported by Caldera below. Configure Sysmon on Windows victims … Read more

Operationalizing Security: CALDERA Meets WAZUH (PART I)

This entry is part 1 of 14 in the series Red Team Engagements

Views: 102CALDERA™ is an open-source framework designed to run autonomous adversary emulation exercises efficiently. It enables users to emulate real-world attack scenarios and assess the effectiveness of their security defences. In addition, it provides a modular environment for red team engagements, supporting red team operators for the manual execution of TTPs and blue teamers for automated … Read more

(TryHackMe) Servidae: Log Analysis in ELK

This entry is part 1 of 3 in the series TryHackMe

Views: 348Link to the TryHackMe Room; https://tryhackme.com/r/room/servidae Room Objectives: In this room, we will analyze the log data from a compromised workstation using the Kibana interface. Within this room’s tasks, we will explore the components of the Elastic (ELK) Stack and gain insights into the various search and filter functions available in Kibana. Our ultimate … Read more