Our team are huge fans of Velociraptor. It's an incredibly powerful tool, for both DFIR and endpoint management. It currently supports Windows, Linux, and Mac endpoints, and BONUS: it's open source!
Recent Posts
Securing Your Velociraptor Deployment
Sep 23, 2020 10:51:00 AM / by Whitney Champion posted in DFIR, Velociraptor, Incident Response, Forensics, Operations, SecOps, Security, InfoSec, Threat Hunting, DevOps, AWS, Cognito, Identity Aware Proxy
Integrating Thinkst Canaries with TheHive
Sep 16, 2020 11:33:00 AM / by Whitney Champion posted in Automation, DFIR, Incident Response, Forensics, SecOps, Canaries, InfoSec, Thinkst, Training, Python, TheHive, Cortex
We've been big fans of the Thinkst platform for a while now. We may have mentioned them a time or two :) Like many others, we get a lot of mileage out of their Canaries and Canary Tokens.
OpenSOC @ DEF CON 28 Safe Mode
Aug 14, 2020 11:53:00 AM / by Whitney Champion posted in OpenSOC, DEFCON, Events
Some of you may remember our last event, Camp COVID. That was the biggest event we had ever run.
UNTIL LAST WEEK: DEF CON 28
Camp COVID - A Recap
Apr 17, 2020 11:40:00 AM / by Whitney Champion posted in OpenSOC, Events, Graylog, Infrastructure

Let me first say, on behalf of the Recon team, we cannot thank the community enough for joining us last week.
Integrating Graylog With TheHive
Jan 31, 2020 2:11:00 PM / by Whitney Champion posted in Automation, DFIR, Incident Response, SecOps, Security, Defense, Python, Graylog, DevOps, TheHive, Cortex, API
If you couldn't tell by now, we love Graylog. We may have mentioned them a time or two :)
Graylog and Cylance Protect Integration
Dec 23, 2019 2:37:00 PM / by Whitney Champion posted in Operations, SecOps, Security, Graylog, Logging, DevOps, API, Cylance
TL;DR - we needed to ingest multiple sources of Cylance logs into Graylog, and this is how we did it.
Brokering Other Cloud Resources Behind AWS Services
Nov 21, 2019 2:43:00 PM / by Whitney Champion posted in DFIR, Operations, SecOps, Security, ZeroTier, DevOps, AWS, Cognito, Identity Aware Proxy, Cloud
I tweeted this the other day, and had a lot of folks reach out asking for more details/a diagram of this setup.
The Infrastructure, II
Oct 17, 2019 2:48:00 PM / by Whitney Champion posted in OpenSOC, DEFCON, Events, Infrastructure
After DEF CON last year, we posted this blog about our infrastructure, which was spread between a handful of Intel NUCs, and AWS. It was epic. It was shiny and new. We loved it.
Automating Graylog Pipelines
Jun 18, 2019 3:02:00 PM / by Whitney Champion posted in Automation, DFIR, SecOps, Security, Python, Graylog, Continuous Integration, DevOps, Ansible
Part of our job at Recon relies on fine tuning our threat signatures that make up the bulk of our pipeline rules in our Graylog environment.
The Infrastructure
Aug 27, 2018 3:57:00 PM / by Whitney Champion posted in Automation, SecOps, OpenSOC, DEFCON, DevOps, Infrastructure
When I joined the OpenSOC team at the beginning of this year, everything resided on 3 Intel Skull Canyon NUC's, a couple other systems for scenarios or applications with hardware requirements, a Ubiquiti WAP, a Synology NAS, and various other things.