The Splunk language is very powerful. I've been writing SPL for years and I still keep discovering new ways to use it, especially when browsing the docs or the community forums trying to solve another problem.
This year, I've published a query for detecting multiple flavors of password brute-force attacks using streamstats command. That query is leveraging some of the characteristics of what I am calling a Splunk Hyper Query.
Hyper- is a prefix from Greek meaning “over,” usually implying excess or exaggeration (hyperbole).
In a similar way, a SIEM hyper query (overly) performs multiple checks and iterations over the…
What’s a network beacon? Why is that important? Well, let’s start with a quick definition before jumping into detection design and KQL code.
As Google suggests, beacon is a visible object serving as a signal or warning. That’s what we, as detection engineers, are looking for when deploying a new detection or analytic rule.
In our context, beacon is referred to as traffic leaving the network at somewhat regular intervals with the purpose of communicating with a command-and-control server (C2).
This method can be used in a variety of ways: to ‘heartbeat’, to request new commands, or to download updates…
Among other things, besides designing detections to run on a much bigger scale (hundreds of customers), I’m finally playing with Microsoft’s Sentinel SIEM and KQL language.
One of the first challenges we face is about standardizing coding practice. As a benefit, it makes it easier and faster to maintain and improve the queries in the long run.
An here’s a quick example I’d like to share, feedback always welcome.
The idea of this post came after a Slack chat with Ryan Long, a Sr. Security Analyst who had asked this very question highlighted in the blog title.
Ryan as many others is realizing there’s sometimes a very thin line between analysis (operations) and engineering when it comes to threat detection.
Because the demand is higher? Because Cyber is becoming specialized? I wrote a blog post touching on this topic a few years ago. Let's start with some context first.
Logs, logs everywhere! Today we have too much data at our disposal, so much that we need to design data…
Threat Detection Engineering practice seems to be evolving. Not only because of easier log management methods and platforms, but because attackers will easily adapt to OOB security, evading detection and achieving their goals.
Nevertheless access to all this data is only the start. The challenge for Blue Teamers keeps increasing as log availability and other challenges around data polishing such as filtering and normalization are still not solved (never will?).
Here I cover one very strategic aspect related to this practice: once you have gathered enough ideas to start developing custom content, how to manage it?
I’ve had the chance to work with many great security teams during my career and in 2012, I had the opportunity to join Verizon's SOC in Germany. That was a very challenging experience considering its massive scale SecOps.
It was also by that time when I realized Splunk could be used as a sort of BI/Reporting platform given its ability to quickly generate eye-catching reports or dashboards from case or incident management systems data.
Today, when designing and building detection mechanisms, it's easier to notice the link between threat detection engineering practice and overall SOC services quality, regardless of target…
As organizations evolve in terms of detection & response capabilities, more than a decade old SIEM remains an enterprise security must, acting as one of the main platforms within a cyber defense program.
Despite being overshadowed by easy to justify initiatives like vulnerability management and other prevention controls, investments in SIEM will be among the fastest-growing, with Security Analytics playing an important part.
As F-Secure's Mikko Hypponen says:
Every company is a software company.
In addition to in-house built, custom applications, for pretty much every new box or technology an enterprise brings in, it is likely producing new data (DB…
Despite being known to some, I am pretty sure the topic of this post will relate to many and perhaps even hurt a few.
Let’s start by addressing this well-known term, one of the main challenges for all SIEM or Log Management practitioners:
While there are many definitions most associate it with the process of following a standard for reducing records to common event attributes. That is, common field names and values.
In practice, while firewall X logs contains src and dst fields; firewall Y uses src_ip and dest_ip to store similar values. …
I was recently asked to help putting together the qualifications or a high level profile for a job ad to hire a good "security engineer".
Depending on how mature an organization is (or how large the budget is), I risk saying it may be that person responsible for all things "cyber"!
Or maybe the person who does market research (PoCs), security design and projects delivery. But maybe also tunes the NIDS and to top it all, he/she is also monitoring security alerts (accumulating architect/analyst roles).
Believe me, there are such security heroes out there. …
When planning for a Security Monitoring project, no matter if it’s a rule that triggers alerts or an interactive dashboard to support hunters, once you have gathered an initial set of feasible ideas, where to start?
A Quick Win is commonly referred to as the result of “High Value” plus “Low Effort” combo. In practice, here's how I see this approach in context with an organization investing in a new project:
The "Quick Wins" is a reliable way of providing reassurance to management, including those who invested in technology and people, paving the way for longer-term goals and more ambitious…
Blueteamer. Threat Detection Engineering & Research.