What’s a network beacon? Why is that important? Well, let’s start with a quick definition before jumping into detection design and KQL code.

As Google suggests, beacon is a visible object serving as a signal or warning. That’s what we, as detection engineers, are looking for when deploying a new detection or analytic rule.

In our context, beacon is referred to as traffic leaving the network at somewhat regular intervals with the purpose of communicating with a command-and-control server (C2).

This method can be used in a variety of ways: to ‘heartbeat’, to request new commands, or to download updates…


I’ve recently joined BlueVoyant where I’m having a great opportunity to be part of a talented team fully dedicated to Threat Detection Engineering and Threat Hunting practices. (we’re hiring!)

Among other things, besides designing detections to run on a much bigger scale (hundreds of customers), I’m finally playing with Microsoft’s Sentinel SIEM and KQL language.

One of the first challenges we face is about standardizing coding practice. As a benefit, it makes it easier and faster to maintain and improve the queries in the long run.

An here’s a quick example I’d like to share, feedback always welcome.

How to make sure all “late arrivals” are checked by detection rules?

Late arrivals…


The idea of this post came after a Slack chat with Ryan Long, a Sr. Security Analyst who had asked this very question highlighted in the blog title.

Ryan as many others is realizing there’s sometimes a very thin line between analysis (operations) and engineering when it comes to threat detection.

Why is Threat Detection so trendy now?

Because the demand is higher? Because Cyber is becoming specialized? I wrote a blog post touching on this topic a few years ago. Let's start with some context first.

Machine Data & Modern Tooling

Logs, logs everywhere! Today we have too much data at our disposal, so much that we need to design data…


Threat Detection Engineering practice seems to be evolving. Not only because of easier log management methods and platforms, but because attackers will easily adapt to OOB security, evading detection and achieving their goals.

Nevertheless access to all this data is only the start. The challenge for Blue Teamers keeps increasing as log availability and other challenges around data polishing such as filtering and normalization are still not solved (never will?).

Here I cover one very strategic aspect related to this practice: once you have gathered enough ideas to start developing custom content, how to manage it?

Detection as code

This post is continuation…


I’ve had the chance to work with many great security teams during my career and in 2012, I had the opportunity to join Verizon's SOC in Germany. That was a very challenging experience considering its massive scale SecOps.

It was also by that time when I realized Splunk could be used as a sort of BI/Reporting platform given its ability to quickly generate eye-catching reports or dashboards from case or incident management systems data.

Today, when designing and building detection mechanisms, it's easier to notice the link between threat detection engineering practice and overall SOC services quality, regardless of target…


As organizations evolve in terms of detection & response capabilities, more than a decade old SIEM remains an enterprise security must, acting as one of the main platforms within a cyber defense program.

Despite being overshadowed by easy to justify initiatives like vulnerability management and other prevention controls, investments in SIEM will be among the fastest-growing, with Security Analytics playing an important part.

As F-Secure's Mikko Hypponen says:

Every company is a software company.

In addition to in-house built, custom applications, for pretty much every new box or technology an enterprise brings in, it is likely producing new data (DB…


Despite being known to some, I am pretty sure the topic of this post will relate to many and perhaps even hurt a few.

Let’s start by addressing this well-known term, one of the main challenges for all SIEM or Log Management practitioners:

Event Normalization

While there are many definitions most associate it with the process of following a standard for reducing records to common event attributes. That is, common field names and values.

In practice, while firewall X logs contains src and dst fields; firewall Y uses src_ip and dest_ip to store similar values. …


I was recently asked to help putting together the qualifications or a high level profile for a job ad to hire a good "security engineer".

But what do security engineers actually do?

Depending on how mature an organization is (or how large the budget is), I risk saying it may be that person responsible for all things "cyber"!

Or maybe the person who does market research (PoCs), security design and projects delivery. But maybe also tunes the NIDS and to top it all, he/she is also monitoring security alerts (accumulating architect/analyst roles).

Believe me, there are such security heroes out there. …


When planning for a Security Monitoring project, no matter if it’s a rule that triggers alerts or an interactive dashboard to support hunters, once you have gathered an initial set of feasible ideas, where to start?

A Quick Win is commonly referred to as the result of “High Value” plus “Low Effort” combo. In practice, here's how I see this approach in context with an organization investing in a new project:

The "Quick Wins" is a reliable way of providing reassurance to management, including those who invested in technology and people, paving the way for longer-term goals and more ambitious…


As a former SOC analyst, I used to spend a reasonable amount of my time figuring out what to learn next while the screens were getting filled with yet another unappealing event.

This was during the time RSS feeds were a big deal and reading blog posts or papers were still part of my weekly, sometimes daily routine (quite sporadically now). I am sure many of you have been or perhaps are still finding yourselves in the same situation.

But isn't it wiser to leverage the shift's time for improving your skills or learning new things rather than clicking another…

Alex Teixeira

Blueteamer. Threat Detection Engineering & Research.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store