Social 📸 Photography

1 post1 participant0 posts today

Tedi HeriyantoMy SIEM-Agnostic Creative Process to Detection Engineering: <a href="https://osintteam.blog/my-siem-agnostic-creative-process-to-detection-engineering-4e401ac60b63" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://osintteam.blog/my-siem-agnostic-creative-process-to-detection-engineering-4e401ac60b63</a><a href="https://infosec.exchange/tags/siem" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#siem</a> <a href="https://infosec.exchange/tags/soc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#soc</a> <a href="https://infosec.exchange/tags/detectionengineering" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#detectionengineering</a>

Paco Hope #resistIf anybody out there is working on using <a href="https://infosec.exchange/tags/LLMs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LLMs</a> or <a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AI</a> to analyze <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a> events in AWS, I wonder if you're considering bullshit attacks via event injection. Let me explain. I'm openly musing about something I don't know much about.You might be tempted to pipe a lot of EventBridge events into some kind of AI that analyzes them looking for suspicious events. Or you might hook up to CloudWatch log streams and read log entries from, say, your lambda functions looking for suspicious errors and output.LLMs are going to be terrible at validating message authenticity. If you have a lambda that is doing something totally innocuous, but you make it <code>print()</code> some JSON that looks just like a GuardDuty finding, that JSON will end up in the lambda function's CloudWatch log stream. Then if you're piping CloudWatch Logs into an LLM, I don't think it will be smart enough to say "wait a minute, why is JSON that looks like a GuardDuty finding being emitted by this lambda function on its stdout?"You and I would say "that's really weird. That JSON shouldn't be here in this log stream. Let's go look at what that lambda function is doing and why it's doing that." (Oh, it's Paco and he's just fucking with me) I think an LLM is far more likey to react "Holy shit! there's a really terrible GuardDuty finding! Light up the pagers! Red Alert!"Having said this, I'm not doing this myself. I don't have any of my <a href="https://infosec.exchange/tags/AWS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AWS</a> logging streaming into any kind of <a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AI</a>. So maybe it's better than I think it is. But LLMs are notoriously bad at ignoring anything in their input stream. They tend to take it all at face value and treat it all as legit.You might even try this with your <a href="https://infosec.exchange/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a> . Is it smart enough to ignore things that show up in the wrong context? Could you emit the JSON of an AWS security event in, say, a Windows Server Event Log that goes to your SIEM? Would it react as if that was a legit event? If you don't even use AWS, wouldn't it be funny if your SIEM responds to this JSON as if it was a big deal?I'm just pondering this, and I'll credit the source: I'm evaluating an internal bedrock-based threat modelling tool and it spit out the phrase "EventBridge Event Injection." I thought "oh shit that's a whole class of issues I haven't thought about."

wall-e / DanielMaybe I'm missing something, but Sysmon is fucking weird:- Developed by Microsoft subsidiary since the late 2000s, yet still not properly packaged by Microsoft, no auto-update mechanism or anything - Download from non-microsoft domain linked to from a Microsoft Learn page - Download is a .zip file without any version info - binaries inside contain zero version info - no chronological releases page anywhere to be found - no RSS feed or anything else I could subscribe to, to be alerted when a new version comes out - Deployed to millions of machines world-wide - actively encouraged to install by every major SIEM vendor out thereHow the fuck am I supposed to keep this thing up to date and/or be alerted to security patches after I've rolled out this unversioned binary blob across my whole ecosystem?<a href="https://ioc.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a> <a href="https://ioc.exchange/tags/microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#microsoft</a> <a href="https://ioc.exchange/tags/siem" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#siem</a> <a href="https://ioc.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a>

NagaramAnyone have any suggestions for a <a href="https://hachyderm.io/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a> ? I was going to use Graylog, but I'm not married to anything.Also thinking I'll give it a whole Terrabyte of storage.<a href="https://hachyderm.io/tags/homelab" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#homelab</a> <a href="https://hachyderm.io/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://hachyderm.io/tags/hacking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hacking</a> <a href="https://hachyderm.io/tags/IT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#IT</a> <a href="https://hachyderm.io/tags/networking" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#networking</a>

Dag-Rune ZI call it a dancing tree of life It is a classic shot of one of the main entrances to Ta Prohm Temple, but sometimes cliché becomes iconic. The Ta Prohm is somehow most known for its tall trees and solid root system entangled in the buildings structure. But it is also one of the more challenging temples to explore, because the structure itself, the park around it and the entrance gates. The area is so filled with interesting details and unexpected turns and ideas. This is one of the temples worth spending some time studying. Ta Prohm (Khmer: ប្រាសាទតាព្រហ្ម, "Ancestor Brahma") is the modern name of the structure. Originally it was called Rajavihara (Khmer: រាជវិហារ, "royal monastery"). It was built during the reign of Jayavarman VII, the great ruler who is known for Bayon, the final version of Angkor Thom city and other massive social public works like hospitals and safe guesthouses all over the realm. It was a monastery and university, build to honour the kings mother, with the gates honouring his brother and his guru. At the peak of its operation, 12 500 people lived within Ta Phrom temple complex and appx 80 000 lived in villages around it, supporting the institution. <a href="https://en.m.wikipedia.org/wiki/Ta_Prohm" rel="nofollow noopener noreferrer" target="_blank">https://en.m.wikipedia.org/wiki/Ta_Prohm</a> <a href="https://pixelfed.social/discover/tags/Angelina?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#Angelina</a> <a href="https://pixelfed.social/discover/tags/moment?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#moment</a>" <a href="https://pixelfed.social/discover/tags/dancing?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#dancing</a> <a href="https://pixelfed.social/discover/tags/tree?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#tree</a> <a href="https://pixelfed.social/discover/tags/life?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#life</a> <a href="https://pixelfed.social/discover/tags/treeoflife?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#treeoflife</a> <a href="https://pixelfed.social/discover/tags/jolie?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#jolie</a> <a href="https://pixelfed.social/discover/tags/siem?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#siem</a> <a href="https://pixelfed.social/discover/tags/reab?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#reab</a> <a href="https://pixelfed.social/discover/tags/siemreap?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#siemreap</a> <a href="https://pixelfed.social/discover/tags/cambodia?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#cambodia</a> <a href="https://pixelfed.social/discover/tags/kampuchea?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#kampuchea</a> <a href="https://pixelfed.social/discover/tags/worldheritage?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#worldheritage</a> <a href="https://pixelfed.social/discover/tags/khmer?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#khmer</a> <a href="https://pixelfed.social/discover/tags/khmerempire?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#khmerempire</a> <a href="https://pixelfed.social/discover/tags/worldculturalheritage?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#worldculturalheritage</a> <a href="https://pixelfed.social/discover/tags/mobilephotography?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#mobilephotography</a> <a href="https://pixelfed.social/discover/tags/2018CE?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#2018CE</a> <a href="https://pixelfed.social/discover/tags/architecture?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#architecture</a> <a href="https://pixelfed.social/discover/tags/angkor?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#angkor</a> <a href="https://pixelfed.social/discover/tags/goldenage?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#goldenage</a> <a href="https://pixelfed.social/discover/tags/taprohm?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#taprohm</a> <a href="https://pixelfed.social/discover/tags/Ta?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ta</a> <a href="https://pixelfed.social/discover/tags/Prohm?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#Prohm</a> <a href="https://pixelfed.social/discover/tags/J7?src=hash" class="u-url hashtag" rel="nofollow noopener noreferrer" target="_blank">#J7</a>

GraylogUnmanaged <a href="https://infosec.exchange/tags/APIs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#APIs</a> create <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a> blindspots. 🕶️ 😧 And, as orgs build out their application ecosystems, the number of APIs integrated into IT environments expands — which can easily overwhelm security teams. ↕️ 👀 😵 Enter... API discovery.💥 Let's take a look at:❓ What API discover is ⚠️ The risks that undocumented and unmanaged APIs pose ❗ Why <a href="https://infosec.exchange/tags/API" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#API</a> discovery is important 🤖 Using automation for API discovery 👁️ What to look for in an API discovery tool<a href="https://graylog.org/post/why-api-discovery-is-critical-to-security/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://graylog.org/post/why-api-discovery-is-critical-to-security/</a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> <a href="https://infosec.exchange/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a>

JanHas anybody already made wazuh agent 4.9 compile on openbsd 7.6 ? Errors (syscheckd) on my system <a href="https://mastodon.bsd.cafe/tags/openbsd" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#openbsd</a> <a href="https://mastodon.bsd.cafe/tags/monitoring" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#monitoring</a> <a href="https://mastodon.bsd.cafe/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a>

AndiMannA10: My advice for <a href="https://masto.ai/tags/AI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AI</a> in <a href="https://masto.ai/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> is start experimenting in ‘safe mode’ – e.g. non-prod systems like plan, dev, test, QA (cf. <a href="https://masto.ai/tags/DevSecOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DevSecOps</a>); post-incident review; or prod-adjacent systems like <a href="https://masto.ai/tags/O11Y" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#O11Y</a> & <a href="https://masto.ai/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a>. Use findings to build policy & governance. Iterate to build trust. <a href="https://masto.ai/tags/eWeekChat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#eWeekChat</a>

MalwareLabDuring the <a href="https://infosec.exchange/tags/SharkBytes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SharkBytes</a> session at <a href="https://infosec.exchange/tags/SharkFest" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SharkFest</a> conference I had an opportunity to present a lightning talk about my pet project called IDS Lab. It is a lab infrastructure deployable as docker containers, which simulates the small company network.The IDS Lab consists of web webserver with <a href="https://infosec.exchange/tags/Wordpress" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Wordpress</a>, <a href="https://infosec.exchange/tags/MySQL" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MySQL</a> database, <a href="https://infosec.exchange/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Linux</a> desktop with RDP, the <a href="https://infosec.exchange/tags/WireGuard" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WireGuard</a> VPN for "remote" workers and for connecting another virtual or physical machines into the lab network. This part of infrastructure can be used for attack simulations.There are additional components for playing with logs and detections, too: <a href="https://infosec.exchange/tags/Fluentbit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fluentbit</a>, <a href="https://infosec.exchange/tags/Suricata" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Suricata</a> and <a href="https://infosec.exchange/tags/OpenObserve" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenObserve</a> as lightweight SIEM. In the <a href="https://infosec.exchange/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a> we already have preconfgured dashboards for alerts, netflows, web logs and logs from windows machines, if present.Using the provided setup script, the whole lab can be up and running in up to 5 minutes. For more info, please check my GitHub repository with the IDS Lab:<a href="https://github.com/SecurityDungeon/ids-lab/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/SecurityDungeon/ids-lab/</a><a href="https://infosec.exchange/tags/sf24eu" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#sf24eu</a> <a href="https://infosec.exchange/tags/wireshark" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#wireshark</a> <a href="https://ioc.exchange/@wireshark" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@wireshark</a>

Paco Hope #resistI had a fabulous <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> typo on a proposal draft today. It's a draft, so no customer saw this. But we proposed to "execute an indecent response simulation." I'm not sure what sorts of indecent responses they planned to simulate, but I have concerns.<a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a> <a href="https://infosec.exchange/tags/incidentresponse" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#incidentresponse</a> <a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DFIR</a> <a href="https://infosec.exchange/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a>

AndiMannlol @hashicorp throwing shade @splunk & @datadog in the <a href="https://masto.ai/tags/hashiconf" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#hashiconf</a> Day2 <a href="https://masto.ai/tags/SecOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SecOps</a> keynote re: new enhancements to reduce chatty (i.e. costly) <a href="https://masto.ai/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cybersecurity</a> log data.TBF, also excited to namecheck $SPLK re: integrations with <a href="https://masto.ai/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a> & <a href="https://masto.ai/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SOC</a> providers too. All part of the path to "<a href="https://masto.ai/tags/enterprise" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#enterprise</a> grade".

wetfeet2000Hey infosec network, got a question for you all! Does anyone have hands on experience with AWS Security Lake? How extensible / flexible is it? E.g. Can I modify lambdas to add my own enrichments, or upgrade to OCSF 1.3? Or add my own query engines like Trino? I like the idea of replacing the traditional SIEM with a data lake but am scared of the level of abstraction of the actual "AWS Security Lake" product and am wondering if it would be better to build it from scratch with the underlying AWS components.<a href="https://infosec.exchange/tags/siem" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#siem</a> <a href="https://infosec.exchange/tags/aws" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#aws</a> <a href="https://infosec.exchange/tags/blueteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#blueteam</a>

AndiMann"@elastic Accelerates Logs Onboarding with Automatic Import Powered by Search <a href="https://masto.ai/tags/AI" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AI</a>"Love to see onboarding <a href="https://masto.ai/tags/Observability" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Observability</a> <a href="https://masto.ai/tags/data" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#data</a> easier - a top 5 decision factor for solutions in <a href="https://masto.ai/tags/O11Y" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#O11Y</a>, <a href="https://masto.ai/tags/AIOps" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AIOps</a>, <a href="https://masto.ai/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a>, etc!Sounds impressive but let's see how it works IRL!<a href="https://www.silicon.co.uk/press-release/elastic-accelerates-logs-onboarding-with-automatic-import-powered-by-search-ai" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.silicon.co.uk/press-release/elastic-accelerates-logs-onboarding-with-automatic-import-powered-by-search-ai</a>

Miguel Afonso Caetano<a href="https://tldr.nettime.org/tags/WorkSurveillance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WorkSurveillance</a> <a href="https://tldr.nettime.org/tags/Surveillance" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Surveillance</a> <a href="https://tldr.nettime.org/tags/WageSlavery" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#WageSlavery</a> <a href="https://tldr.nettime.org/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a> <a href="https://tldr.nettime.org/tags/UEBA" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#UEBA</a> <a href="https://tldr.nettime.org/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#CyberSecurity</a> <a href="https://tldr.nettime.org/tags/ThreatDetection" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ThreatDetection</a> <a href="https://tldr.nettime.org/tags/BehaviorProfiling" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BehaviorProfiling</a>: "This case study explores, examines and documents how employers can use software that analyzes extensive personal data on employee behavior and communication for cybersecurity, insider threat detection and compliance purposes. To illustrate wider practices, it investigates software for “security information and event management” (SIEM), “user and entity behavior analytics” (UEBA), insider risk management and communication monitoring from two major vendors. First, it looks into cybersecurity and risk profiling systems offered by Forcepoint, a software vendor that was until recently owned by the US defense giant Raytheon. Second, it investigates in detail how employers can use cybersecurity and risk profiling software sold by Microsoft, whose “Sentinel” and “Purview” systems provide SIEM, UEBA, insider risk management and communication monitoring functionality. Combined, these systems can monitor everything employees do or say, profile their behavior and single them out for further investigation. Similar to predictive policing technologies, they promise not only to detect incidents but to prevent them before they occur. While organizations can use these software systems for legitimate purposes, this study focuses on their potential implications for employees."<a href="https://crackedlabs.org/en/data-work/publications/securityriskprofiling" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://crackedlabs.org/en/data-work/publications/securityriskprofiling</a>

Steven Butterworth(UK-IT-GURU)👋 Hello Mastodon!I'm Steven Butterworth, aka UKITGURU. I specialise in InfoSec and SIEM technologies (Splunk, Sentinel, Elastic). As a freelancer, I create and deliver SIEM content, working with gov departments and private sectors. Passionate about Data Science, Data Engineering, and data literacy. Avid triathlon enthusiast—never enough bikes! 🚴‍♂️Looking forward to connecting!<a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#InfoSec</a> <a href="https://infosec.exchange/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a> <a href="https://infosec.exchange/tags/Splunk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Splunk</a> <a href="https://infosec.exchange/tags/Sentinel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Sentinel</a> <a href="https://infosec.exchange/tags/DataScience" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#DataScience</a> <a href="https://infosec.exchange/tags/Triathlon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Triathlon</a> <a href="https://infosec.exchange/tags/Cycling" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Cycling</a>

TribesmanJohn 🇦🇺🌏👨🏼‍💻📷Today I learnt MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 encapsulates LDAP Authentication on Windows Domain controllers where a request is made by LDAP(S).This is after I have spent years following trusting most of the advice online that it’s an artifact of NTLM authentication and the local security authority (LSA). For the better part of a decade I had assumed these were being generated by legacy windows devices using NTLM, but never working out why there were so many of them.It all makes sense now! And now at least I have a better understanding of some of the events I am looking at!<a href="https://aus.social/tags/microsoft" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#microsoft</a> <a href="https://aus.social/tags/ldap" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ldap</a> <a href="https://aus.social/tags/siem" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#siem</a> <a href="https://aus.social/tags/splunk" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#splunk</a> <a href="https://aus.social/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#infosec</a>

Anton Chuvakin"We Love What’s Broken … Yes, This Of Course Means <a href="https://infosec.exchange/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a>!" <a href="https://bit.ly/4chFl2Y" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://bit.ly/4chFl2Y</a> <- highlights from a fun report about SIEM from CardinalOps!

Anton Chuvakin"One More Time on <a href="https://infosec.exchange/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a> Telemetry / Log Sources … " <a href="https://bit.ly/3vF1OY1" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://bit.ly/3vF1OY1</a> <- ok so this has a boring title, but it has some useful info, I promise -)

Anton Chuvakin"Migrate Off That Old <a href="https://infosec.exchange/tags/SIEM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SIEM</a> Already!" <a href="https://www.googlecloudcommunity.com/gc/Community-Blog/Migrate-Off-That-Old-SIEM-Already/ba-p/705149" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.googlecloudcommunity.com/gc/Community-Blog/Migrate-Off-That-Old-SIEM-Already/ba-p/705149</a> <- a somewhat fun, modern (hopefully?) take on an old and often painful topic...

Recent searches

Search options

Administered by:

Server stats:

#siem