Visualizing Geo IP Information using Python

Apr 17, 2020 1:11:00 PM / by Brian Greunke posted in Automation, Python, BlackHat

As part of the #OpenSOC event Recon InfoSec recently conducted, we wanted to visualize where all of our participants were coming from. We had several data points to work from, and there are plenty of open tools available, so it is just a matter of cobbling those items together to create a sweet, sweet map.

Read More

Camp COVID - A Recap

Apr 17, 2020 11:40:00 AM / by Whitney Champion posted in OpenSOC, Events, Graylog, Infrastructure


Let me first say, on behalf of the Recon team, we cannot thank the community enough for joining us last week.

Read More


Mar 30, 2020 1:15:00 PM / by Eric Capuano posted in OpenSOC, Events


Hello OpenSOC fam! First and most importantly, we hope that you and yours are healthy and happy in these unprecedented times.

Read More

Analysis Of Exploitation: CVE-2020-10189

Mar 25, 2020 1:39:00 PM / by Luke Rusten posted in DFIR, Incident Response, Forensics, SecOps, InfoSec, Defense, Malware, Exploit, CVE-2020-10189, Intel Sharing, Zoho, Vulnerability, ManageEngine

The Recon incident response team recently worked an intrusion case involving a ManageEngine Desktop Central server that was affected by CVE-2020-10189.

Read More

Automating Detection Coverage Analysis with ATT&CK Navigator

Feb 13, 2020 1:52:00 PM / by Brian Greunke posted in Automation, DFIR, SecOps, Security, Threat Hunting, Defense, Graylog, Continuous Integration, MITRE ATT&CK

Staying on-top of the latest adversarial methodologies means quickly adjusting to new TTPs and requires a thorough and constant understanding of your own detection capabilities. Given a rapidly changing, dynamic environment, this level of attention can't be a manual process, it requires the magic of automation.

Read More

Integrating Graylog With TheHive

Jan 31, 2020 2:11:00 PM / by Whitney Champion posted in Automation, DFIR, Incident Response, SecOps, Security, Defense, Python, Graylog, DevOps, TheHive, Cortex, API

If you couldn't tell by now, we love Graylog. We may have mentioned them a time or two :)

Read More

Network Defense Range (NDR) Returning to BlackHat 2020

Jan 26, 2020 2:26:00 PM / by Eric Capuano posted in Incident Response, InfoSec, Training, Threat Hunting, NDR, Defense, BlackHat

We're thrilled to be accepted back to BlackHat to run our live-fire Network Defense Range (NDR) course again this year! We received overwhelmingly positive feedback from last year's attendees and we have even bigger plans this year.

Read More

Graylog and Cylance Protect Integration

Dec 23, 2019 2:37:00 PM / by Whitney Champion posted in Operations, SecOps, Security, Graylog, Logging, DevOps, API, Cylance

TL;DR - we needed to ingest multiple sources of Cylance logs into Graylog, and this is how we did it.

Read More

Brokering Other Cloud Resources Behind AWS Services

Nov 21, 2019 2:43:00 PM / by Whitney Champion posted in DFIR, Operations, SecOps, Security, ZeroTier, DevOps, AWS, Cognito, Identity Aware Proxy, Cloud

I tweeted this the other day, and had a lot of folks reach out asking for more details/a diagram of this setup.

Read More

The Infrastructure, II

Oct 17, 2019 2:48:00 PM / by Whitney Champion posted in OpenSOC, DEFCON, Events, Infrastructure

After DEF CON last year, we posted this blog about our infrastructure, which was spread between a handful of Intel NUCs, and AWS. It was epic. It was shiny and new. We loved it.

Read More
View RSS Feed