Tag: How to

Elastic for Security Analysts. Part 1: Searching Strings.
Elastic for Security Analysts. Part 1: Searching Strings.

Purpose: With Elastic increasing their foothold in the cybersecurity space through the speed and scalability of their solution, we expect more new Elastic users. These users will approach Elastic armed with an intuition built from experience with other platforms and SIEMs. Often this intuition will be directly challenged after a few searches in Elastic. The […]

Read More
Short-Cutting the Threat Hunting Process
Short-Cutting the Threat Hunting Process

Why Short-Cut The Threat Hunting Process? As with any security operations endeavor, we want to balance efficacy and efficiency to produce the best results with the smallest amount of resources. Unfortunately, Threat Hunting is often seen as a ‘luxury’, reserved only for the most advanced sec-ops teams with ample budgets to fund expert resources and […]

Read More
SOC Prime Threat Detection Marketplace – Getting Ready to Explore
SOC Prime Threat Detection Marketplace – Getting Ready to Explore

SOC Prime Threat Detection Marketplace (SOC Prime TDM) is a community-based library of relevant and actionable threat detection content that has been uniting cybersecurity content authors to stand on the defensive of cyberspace to deliver the best content to the community for more than five years already. SOC Prime TDM provides ready-made tested Rule Packs, […]

Read More
Threat Hunting Basics: Getting Manual
Threat Hunting Basics: Getting Manual

The purpose of this blog is to explain the necessity for manual (non-alert based) analysis methods in threat hunting. An example of effective manual analysis via aggregations/stack counting is provided. Automation Is Necessary Automation is absolutely critical and as threat hunters we must automate where possible as much as possible. However, automation is built on […]

Read More
Sigma Rules Guide for ArcSight
Sigma Rules Guide for ArcSight

Introduction to Sigma Sigma, created by Florian Roth and Thomas Patzke, is an open source project to create a generic signature format for SIEM systems. The common analogy is that Sigma is the log file equivalent of what Snort is to IDS and what YARA is for file based malware detection. However, unlike Snort and […]

Read More
Integrating QRadar with VirusTotal
Integrating QRadar with VirusTotal

Hello. In the last article we considered creating rules, and today I want to describe the method that will help SIEM administrators respond to possible security incidents faster. When working with information security incidents in QRadar it is extremely important to increase operators’ and analysts’ operation speed in SOC. Usage of built-in tools provides ample […]

Read More
Splunk. How to make color table rows based on conditions.
Splunk. How to make color table rows based on conditions.

In the previous article I have demonstrated how to create a simple dashboard that monitors accessibility of sources in Splunk. Today I want to demonstrate you how to make any table in the dashboard more obvious and convenient. Let’s look at my last article and continue to improve the functionality of the table that I […]

Read More
Creating Rules in IBM QRadar
Creating Rules in IBM QRadar

In my previous article, I wrote about how to update your IBM QRadar. But the correct operation of any SIEM is not only updating the build, or collection and storage of events from various data sources. The primary task of SIEM is to identify security incidents. The vendor provides preconfigured detection rules for IBM QRadar, […]

Read More
Updating IBM QRadar
Updating IBM QRadar

The efficient SIEM operation directly depends on fixing detected vulnerabilities and issues in its functioning. The primary method for this is updating the system to the latest version. Updates can include fixing security issues, releasing new functionality, improving system performance, patches, and so on. In my recent article, we reviewed how to create backups in […]

Read More
ArcSight. Optimizing EPS (Aggregation and Filtration)
ArcSight. Optimizing EPS (Aggregation and Filtration)

Almost all of the ArcSight beginners face a situation when there are a high incoming EPS from the log sources, especially when it is critical to License limits or causes performance issues. To reduce incoming EPS, ArcSight has two native methods for event processing: Event Aggregation and Filtration. In this article, I will try to […]

Read More