Discover and read the best of Twitter Threads about #siem
Most recents (11)
1/ I am taking a little break but couldn’t resist checking-out my favourite open-source projects for any updates. Doing so, I thought it will be useful to share my top 10 projects that anyone in the #infosec field should know about. Here they are 🧵:
2/ 📊 HELK (buff.ly/3BHn9iR): The Hunting ELK (HELK) project provides an analytics and threat hunting platform for security teams to identify and respond to threats in their environment. Just load your logs and start hunting! #HELK #ThreatHunting 
3/ 🔍 Sigma(buff.ly/3q12WOC ): Sigma enables infosec peeps to create rules for SIEM systems for detecting and responding to security incidents. It also allows us to share our rules in a non-vendor-specific format! Free detections anyone!?! #Sigma #SIEM
🚨🔍👨💻🛡️ I got few questions about what a Detection Engineers does. Daily tasks range from monitoring security systems to designing and developing detection logic? Here are some common tasks that I perform on given day #Cybersecurity #DetectionEngineer #SecurityOperations #SIEM
1️⃣ Building SIEM Architecture
Some detection engineers build SIEM architecture to collect, process, store, analyze, and respond to security-related data from various sources to identify potential security threats and alerts the security team.
Some detection engineers build SIEM architecture to collect, process, store, analyze, and respond to security-related data from various sources to identify potential security threats and alerts the security team.
2️⃣ Monitoring Security Systems
Detection engineers monitor security systems, review logs/alerts/reports, identify potential threats, and investigate suspicious activities. Essential in security ops.
Detection engineers monitor security systems, review logs/alerts/reports, identify potential threats, and investigate suspicious activities. Essential in security ops.
✅General
📎Windows Logging Basics - lnkd.in/grKYFQzJ
📎Jose Bravo - What is a SIEM? (5 Vídeos): lnkd.in/gc2UDpeD
📎PowerSIEM Analyzing Sysmon Events with PowerShell: lnkd.in/g_8Eq8vm
📎Windows Logging Basics - lnkd.in/grKYFQzJ
📎Jose Bravo - What is a SIEM? (5 Vídeos): lnkd.in/gc2UDpeD
📎PowerSIEM Analyzing Sysmon Events with PowerShell: lnkd.in/g_8Eq8vm
Building SOC 101:
SOC Tools: Review of the essential security monitoring tools you’ll need for building a Successful SOC.
In this thread, we’ll learn the details of these SOC tools & technologies 🧵
#infosec #cybersecurity #Pentesting #informationsecurity #hacking #CISSP
SOC Tools: Review of the essential security monitoring tools you’ll need for building a Successful SOC.
In this thread, we’ll learn the details of these SOC tools & technologies 🧵
#infosec #cybersecurity #Pentesting #informationsecurity #hacking #CISSP
The essential SOC capabilities include
1.Asset discovery
2.Vulnerability assessment
3.Behavioral monitoring
4.#Intrusion_detection
5.#SIEM
1.Asset discovery
2.Vulnerability assessment
3.Behavioral monitoring
4.#Intrusion_detection
5.#SIEM
1.Asset Discovery:
- Knowing what’s on your network is the 1st step in protecting what’s on your network.
- You need to know what systems exist –
a.laptops and servers - as well as what’s been installed and running on those systems e.g. apps, services, and active ports.
- Knowing what’s on your network is the 1st step in protecting what’s on your network.
- You need to know what systems exist –
a.laptops and servers - as well as what’s been installed and running on those systems e.g. apps, services, and active ports.
There’s no more strategic thing than defining where you want to get to and measuring it.
Strategy informs what "great" means, daily habits get you started (and keep you going) and measurements tell you if you’re there or not.
A 🧵 on #SOC strategy / metrics:
Strategy informs what "great" means, daily habits get you started (and keep you going) and measurements tell you if you’re there or not.
A 🧵 on #SOC strategy / metrics:
Before we hired our first #SOC analyst or triaged our first alert, we defined where we wanted to get to; what great looked like.
Here’s [some] of what we wrote:
Here’s [some] of what we wrote:
We believe that a highly effective SOC:
1. leads with tech; doesn’t solve issues w/ sticky notes
2. automates repetitive tasks
3. responds and contains incidents before damage
4. has a firm handle on capacity v. loading
5. is able to answer, “are we getting better, or worse?”
1. leads with tech; doesn’t solve issues w/ sticky notes
2. automates repetitive tasks
3. responds and contains incidents before damage
4. has a firm handle on capacity v. loading
5. is able to answer, “are we getting better, or worse?”
Awesome tip for using canarytokens.org/generate honeypot traps as a defence mechanism & #SIEM 🤯
1/3
There are three fun techniques for those who are constantly under attack.
One of them is to set up similar honeypots, IP loggers like “grabify dot link” and put a script for notifications.
👇👇👇
There are three fun techniques for those who are constantly under attack.
One of them is to set up similar honeypots, IP loggers like “grabify dot link” and put a script for notifications.
👇👇👇
2/3
The second is to set up fake wallets, potential targets and name them tempting for the hacker. If you try to steal money from them (the hacker will probably notice them first), you can get a notification from @TenderlyApp or own script via SMS.
👇👇👇
The second is to set up fake wallets, potential targets and name them tempting for the hacker. If you try to steal money from them (the hacker will probably notice them first), you can get a notification from @TenderlyApp or own script via SMS.
👇👇👇
Can we detect ZIP / JScript for initial access on 🪟?
1. Open txt editor
2. var WshShell = new ActiveXObject("Wscript.Shell");
WshShell.Popup("You can configure WSH files to open in Notepad");
WScript.exit;
3. Save as 1.js
4. Double-click
5. Query SIEM / EDR
1. Open txt editor
2. var WshShell = new ActiveXObject("Wscript.Shell");
WshShell.Popup("You can configure WSH files to open in Notepad");
WScript.exit;
3. Save as 1.js
4. Double-click
5. Query SIEM / EDR
What about #BEC in O365?
1. Create an inbox rule to fwd emails to the RSS Subscriptions folder
2. Query your SIEM
3. How often does this happen?
4. Can you build alert or cadence around inbox rule activity?
1. Create an inbox rule to fwd emails to the RSS Subscriptions folder
2. Query your SIEM
3. How often does this happen?
4. Can you build alert or cadence around inbox rule activity?
What about lateral movement?
1. Open PS
2. wmic /node:localhost process call create "cmd.exe /c notepad"
3. winrs:localhost "cmd.exe /c calc"
4. schtasks /create /tn legit /sc daily /tr c:\users\<user>\appdata\legit.exe
5. Query SIEM / EDR
1. Open PS
2. wmic /node:localhost process call create "cmd.exe /c notepad"
3. winrs:localhost "cmd.exe /c calc"
4. schtasks /create /tn legit /sc daily /tr c:\users\<user>\appdata\legit.exe
5. Query SIEM / EDR
Hey for all you #infosec friends stuck with #ibm #qradar just like me, just remember it’s still better than having no #siem at all. Here is my contribution to the community, a mega thread of qradar tips to improve your life
#qradartips
0/N
#qradartips
0/N
Qradar Tip #1
equals is case sensitive
username equals 'neonprimetime'
will not find 'Neonprimetime'
(notice the capital N)
from the GUI use contains to be case insensitive!
#qradartips 1/N
equals is case sensitive
username equals 'neonprimetime'
will not find 'Neonprimetime'
(notice the capital N)
from the GUI use contains to be case insensitive!
#qradartips 1/N
Qradar Tip #2
avoid using the GUI for filtering
instead teach yourself AQL
use the "Advanced Search" drop down
it's a powerful SQL-like language
that will allow you to performance tune queries
use complex boolean logic
and much more!
ibm.com/support/knowle…
#qradartips 2/N
avoid using the GUI for filtering
instead teach yourself AQL
use the "Advanced Search" drop down
it's a powerful SQL-like language
that will allow you to performance tune queries
use complex boolean logic
and much more!
ibm.com/support/knowle…
#qradartips 2/N
So, I discovered my presentation on #SIEM from 2012 where I talked about "SIEM trifecta of complexity" which is "complexity of deployment, administration, operation." Guess what? Much of 2020 SIEM has this too....
Specifically:
BTW, I found the whole thing, but only look if you promise NOT to laugh: slideshare.net/anton_chuvakin…
Threat Hunting In #CyberSecurity : Waiting for an alert can be too dangerous.
Threat hunting means to proactively search for malware or attackers that are hiding in your network — and may have been there for some time.
Most time, the goals of these malware or attackers can be to quietly siphoning off data, patiently listening in for confidential information, or working their way through the network looking for credentials powerful enough to steal key information.
I've got a story to share. Not as exciting as the exploits of @TinkerSec, @HydeNS33k, or @_sn0ww, but a story nonetheless. #DFIR & #BlueTeam in nature. 1/
I worked for a service provider back in the day. And we provided email accounts to customers. 2/
