This is the first post in a series where I’ll cover detection engineering end to end. What is Detection Engineering? Detection engineering is a systematic approach to designing and refining analytics that detect specific malicious behaviors within a network. Unlike reactive incident response, detection engineering aims to create proactive detections Read more
Introduction Accurate, structured incident data is essential for effective analysis, reporting, and response. VERIS (Vocabulary for Event Recording and Incident Sharing) provides a standardized approach to categorize security incidents, improving insights and facilitating data sharing. By utilizing VERIS, organizations can leverage it in ServiceNow to gain both strategic and tactical Read more
Introduction KPIs are essential to aligning engineering team efforts with security goals and business objectives. In a metric driven security engineering environment, KPIs should be clear, actionable, and directly tied to team performance and productivity. The Role of KPIs in Security Engineering Core KPIs for Security Engineering Teams KPIs for Read more
Cribl’s pipeline capabilities make it a powerful tool for processing and enriching logs. In this post, we’ll explore how to apply advanced modifications to Zeek logs in Cribl. Each modification needs to be placed in individual Eval function blocks within your pipeline to avoid errors and ensure smooth processing. In Read more
Passkeys offer a passwordless and more secure way to authenticate to AWS accounts, reducing risks associated with credential-based attacks like phishing and password stuffing. Passkeys rely on cryptographic keys linked to users’ devices, making traditional passwords obsolete. This guide outlines the setup for passkeys in AWS IAM. What Are Passkeys? Read more
Identity and Access Management (IAM) is a critical cybersecurity frameworks which ensures that the right individuals and systems have appropriate access to an organization’s resources. In this post, I will break down IAM’s core concepts, explain its critical components, and provide technical examples of implementation. What is IAM? IAM refers Read more
Machine learning offers powerful tools for detecting anomalies in network traffic. This post includes technical details, sample logs, and Linux-based scripts to help you get started with anomaly detection using machine learning techniques. 1. Supervised Learning with Decision Trees Objective: Detect DDoS attacks by classifying normal vs. abnormal traffic using Read more
Safeguarding sensitive company information and ensuring compliance is essential in this day and age. Microsoft Purview offers a robust solution for unified data governance, protection, and compliance management across your organization. Step 1: Access Microsoft Purview Portal Step 2: Create a Microsoft Purview Account in Azure Step 3: Set Up Read more
Building a DevSecOps CI/CD Pipeline with Jenkins, SonarQube, and Snyk Using Terraform Introduction Incorporating security into Continuous Integration/Continuous Deployment (CI/CD) pipelines is a core DevSecOps practice. By leveraging tools like Jenkins, SonarQube, and Snyk, you can automate static and dependency vulnerability scans within your pipeline. This post will guide you Read more
Ansible simplifies IT automation by allowing you to configure, deploy, and manage infrastructure with straightforward YAML files. Here’s how we used Ansible to deploy Jenkins, SonarQube, and a sample application while automating repetitive tasks across our setup. We’ll also cover some powerful ways to extend Ansible’s capabilities. Table of Contents Read more
Overview For effective security management, you need visibility into your environment. SentinelOne offers powerful tools for auditing, reporting, and notifications that give you real-time insights, historical data, and alerts on critical events. Today, we’ll explore how to set up and customize these tools to maintain security oversight and ensure compliance. Read more
Overview Today, we’re exploring Advanced Detection Engines and Automation in SentinelOne. With advanced detection capabilities like Static and Behavioral AI, SentinelOne goes beyond traditional endpoint detection. Adding automation to these capabilities can help streamline responses and allow your team to focus on high-priority threats. Let’s break down how to configure Read more
Overview In this post, we’ll explore Incident Management and Threat Response workflows in SentinelOne. Here’s where the SentinelOne platform truly shines, offering a comprehensive toolset for managing incidents from detection through resolution. We’ll dive into the Incidents Tab, explain critical response actions, and touch on threat analysis tools like VirusTotal Read more
Overview In this post, we’ll focus on two critical components of SentinelOne: Sentinels and Policy Configuration. Sentinels manage your endpoints, allowing you to take actions like quarantine, remote shell access, and file retrieval. We’ll also cover setting up robust policies, including Detect and Protect modes, so your endpoints remain secure. Read more
Overview This is the first post of several in the S1 series. I wanted to write these in a way where you can get up to speed in S1 as quickly as possible. In today’s post, we’ll walk through the essentials of getting SentinelOne up and running, customizing the console Read more
All kinds of interesting information can be found using the Elasticsearch API. https://www.elastic.co/guide/en/elasticsearch/reference/current/search-search.html I find it easier than using Kibana, but Kibana was necessary to figure out the query language. Using the same queries, you can save out results and sort through them. The simplest example would be something like Read more
I started with acloud.guru AWS Certified Solutions Architect Associate course. https://acloudguru.com/course/aws-certified-solutions-architect-associate-saa-c02 If you get the pro subscription, you get access to labs without having to create your own AWS accounts. I think it’s 50 bucks a month, but you may be able to find this on Udemy for cheaper. AWS Read more
Using FreeBSD 12 RELEASE disc1https://download.freebsd.org/ftp/releases/amd64/amd64/ISO-IMAGES/12.0/ Once the system is up, install the packages below. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/12.0-RELEASE/src.txz# tar -C / -xzvf src.txz# portsnap fetch && portsnap extract# pkg update -f && pkg upgrade && pkg install -y open-vm-tools sudo vim htop py27-pip git netmap lua51 gmake gzip bro Additional system Read more
In today’s evolving threat landscape, large organizations must leverage the power of open-source security solutions to protect their networks. This post will explore a real-world example of how a security operations center (SOC) implemented several open-source tools and platforms to detect and respond to sophisticated threats. Deployment of Intrusion Detection Read more