Staying on-top of the latest adversarial methodologies means quickly adjusting to new TTPs and requires a thorough and constant understanding of your own detection capabilities.…
If you couldn't tell by now, we love Graylog. We may have mentioned them a time or two :) We also love TheHive. It makes tracking incidents easy, it's reliable, and it's another well-managed open source project that we support and contribute to. TheHive also integrates with Cortex, which allows us…
NDR is a one-of-a-kind training platform that enables SOC analysts, threat hunters, and incident responders to go toe-to-toe with advanced adversaries in a low-stakes/zero-risk environment.…
TL;DR - we needed to ingest multiple sources of Cylance logs into Graylog, and this is how we did it. Since we had never integrated with their API before, we were looking at a lot of unknowns. Searching GitHub uncovered a huge win. Lucky for us, someone had already…
I tweeted this the other day, and had a lot of folks reach out asking for more details/a diagram of this setup. places like digitalocean and vultr have beefy systems for less SO, we stand up a big system there, and a small proxy in AWS behind an ALB/…
Part of our job at Recon relies on fine tuning our threat signatures that make up the bulk of our pipeline rules in our Graylog environment. Because of this, they are constantly changing, growing, being tuned, and ultimately becoming more effective over time at detecting anomalous activity.…
The Recon incident response team recently worked an intrusion case involving a Confluence web application server that was affected by CVE-2019-3396. The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3…
In this long overdue post, we'll share a few tricks that we use to heavily secure our own ZeroTier networks to not only restrict communication to authorized hosts on a directional basis but even capture and inspect packets!…
Join us at BlackHat 2019 where we will be offering NDR Crucible -- our premier 4-day Network Defense Range training!…
To the delight of most Graylog users, geolocation is automatically built into the platform via the "GeoIP Resolver" plugin. All that is needed is a MaxMind database and you are ready to roll. However, there is a better way of going about geolocation that might be worth implementing…