Below is a question I started asking myself some years ago when I had realized I could write log-based detection content for a living: How to determine detection value? How could customers buy a “detection” if they cannot evaluate its value? …

Detection Engineering is really making its way into the lexicon of what Cybersecurity customers demand today. After advocating for that practice for many years, I thought it would be great to share a few bullets on that. This might not only serve practitioners in the field but also product managers…

Alright, it’s been more than a year after publishing the first part of this article, so time to remove it from drafts. In case you haven’t checked the first part entirely, let's start with a quick recap on what a SIEM Hyper Query is about if you want to take…

This is a quick one just to share a win I've been recently through that might be applicable or inspirational (why not?) to some while sharing my unasked opinion on SOAR — from a detection engineer perspective. Before exploring the topic deeper, check if you agree on the following needs: …

TL;DR: tstats + term() + walklex = super speedy (and accurate) queries. Leveraging Splunk terms by addressing a simple, yet highly demanded SecOps use case. How do you search for IOCs in Splunk? When you have an IP address, do you map all data sources that might contain a valid IP address entry? What if a field is…

This is a more technical post to exemplify how my workflow goes when designing and implementing a new detection while serving as follow-up from a previous post The role of ‘Novelty’ and ‘Behaviour’ in Computer Forensics & Detection Engineering. When you start following security researchers and their work, it’s truly…

This is just another quick blog that could not fit in a tweet which is hopefully inspiring for for all Detection Engineering teams out there. First off, let's get the definitions loud and clear: Novelty: the quality of being new, original, or unusual. Behaviour: the way in which one acts…

The Splunk language is very powerful. I've been writing SPL for years and I still keep discovering new ways to use it, especially when browsing the docs or the community forums trying to solve another problem. This year, I've published a query for detecting multiple flavors of password brute-force attacks…

What’s a network beacon? Why is that important? Well, let’s start with a quick definition before jumping into detection design and KQL code. As Google suggests, beacon is a visible object serving as a signal or warning. …