This is a more technical post to exemplify how my workflow goes when designing and implementing a new detection while serving as follow-up from a previous post The role of ‘Novelty’ and ‘Behaviour’ in Computer Forensics & Detection Engineering.

When you start following security researchers and their work, it’s truly fascinating the amount of detection use cases that can be derived from there.

Let’s take as an example the great article written by John Dwyer (IBM X-Force) in which he highlights many detection aspects around another very common technique leveraged by attackers: DLL Side-Loading.

DiD, you know?

There are of course multiple detection…

This is just another quick blog that could not fit in a tweet which is hopefully inspiring for for all Detection Engineering teams out there.

First off, let's get the definitions loud and clear:

Novelty: the quality of being new, original, or unusual.

Behaviour: the way in which one acts or conducts oneself.

Those are perhaps the main traits we should consider when designing or engineering a detection system.

One action, multiple traces

I used to say Forensics happens after the fact while Detection should happen right after the fact and both are really challenging!

Let alone Prevention which should happen before the fact

The Splunk language is very powerful. I've been writing SPL for years and I still keep discovering new ways to use it, especially when browsing the docs or the community forums trying to solve another problem.

This year, I've published a query for detecting multiple flavors of password brute-force attacks using streamstats command. That query is leveraging some of the characteristics of what I am calling a Splunk Hyper Query.

So what's a Hyper Query?

Hyper- is a prefix from Greek meaning “over,” usually implying excess or exaggeration (hyperbole).

In a similar way, a SIEM hyper query (overly) performs multiple checks and iterations over the…

What’s a network beacon? Why is that important? Well, let’s start with a quick definition before jumping into detection design and KQL code.

As Google suggests, beacon is a visible object serving as a signal or warning. That’s what we, as detection engineers, are looking for when deploying a new detection or analytic rule.

In our context, beacon is referred to as traffic leaving the network at somewhat regular intervals with the purpose of communicating with a command-and-control server (C2).

This method can be used in a variety of ways: to ‘heartbeat’, to request new commands, or to download updates…

I’ve recently joined BlueVoyant where I’m having a great opportunity to be part of a talented team fully dedicated to Threat Detection Engineering and Threat Hunting practices. (we’re hiring!)

Among other things, besides designing detections to run on a much bigger scale (hundreds of customers), I’m finally playing with Microsoft’s Sentinel SIEM and KQL language.

One of the first challenges we face is about standardizing coding practice. As a benefit, it makes it easier and faster to maintain and improve the queries in the long run.

An here’s a quick example I’d like to share, feedback always welcome.

How to make sure all “late arrivals” are checked by detection rules?

Late arrivals…

The idea of this post came after a Slack chat with Ryan Long, a Sr. Security Analyst who had asked this very question highlighted in the blog title.

Ryan as many others is realizing there’s sometimes a very thin line between analysis (operations) and engineering when it comes to threat detection.

Why is Threat Detection so trendy now?

Because the demand is higher? Because Cyber is becoming specialized? I wrote a blog post touching on this topic a few years ago. Let's start with some context first.

Machine Data & Modern Tooling

Logs, logs everywhere! Today we have too much data at our disposal, so much that we need to design data…

Threat Detection Engineering practice seems to be evolving. Not only because of easier log management methods and platforms, but because attackers will easily adapt to OOB security, evading detection and achieving their goals.

Nevertheless access to all this data is only the start. The challenge for Blue Teamers keeps increasing as log availability and other challenges around data polishing such as filtering and normalization are still not solved (never will?).

Here I cover one very strategic aspect related to this practice: once you have gathered enough ideas to start developing custom content, how to manage it?

Detection as code

This post is continuation…

I’ve had the chance to work with many great security teams during my career and in 2012, I had the opportunity to join Verizon's SOC in Germany. That was a very challenging experience considering its massive scale SecOps.

It was also by that time when I realized Splunk could be used as a sort of BI/Reporting platform given its ability to quickly generate eye-catching reports or dashboards from case or incident management systems data.

Today, when designing and building detection mechanisms, it's easier to notice the link between threat detection engineering practice and overall SOC services quality, regardless of target…

As organizations evolve in terms of detection & response capabilities, more than a decade old SIEM remains an enterprise security must, acting as one of the main platforms within a cyber defense program.

Despite being overshadowed by easy to justify initiatives like vulnerability management and other prevention controls, investments in SIEM will be among the fastest-growing, with Security Analytics playing an important part.

As F-Secure's Mikko Hypponen says:

Every company is a software company.

In addition to in-house built, custom applications, for pretty much every new box or technology an enterprise brings in, it is likely producing new data (DB…

Despite being known to some, I am pretty sure the topic of this post will relate to many and perhaps even hurt a few.

Let’s start by addressing this well-known term, one of the main challenges for all SIEM or Log Management practitioners:

Event Normalization

While there are many definitions most associate it with the process of following a standard for reducing records to common event attributes. That is, common field names and values.

In practice, while firewall X logs contains src and dst fields; firewall Y uses src_ip and dest_ip to store similar values. …

Alex Teixeira

Blueteamer. Threat Detection Engineering & Research.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store