As part of the #OpenSOC event Recon InfoSec recently conducted, we wanted to visualize where all of our participants were coming from. We had several data points to work from, and there are plenty of open tools available, so it is just a matter of cobbling those items together to create a sweet, sweet map.
Visualizing Geo IP Information using Python
Apr 17, 2020 1:11:00 PM / by Brian Greunke posted in Automation, Python, BlackHat
Camp COVID - A Recap
Apr 17, 2020 11:40:00 AM / by Whitney Champion posted in OpenSOC, Events, Graylog, Infrastructure

Let me first say, on behalf of the Recon team, we cannot thank the community enough for joining us last week.
OpenSOC: Camp COVID
Mar 30, 2020 1:15:00 PM / by Eric Capuano posted in OpenSOC, Events
Hello OpenSOC fam! First and most importantly, we hope that you and yours are healthy and happy in these unprecedented times.
Analysis Of Exploitation: CVE-2020-10189
Mar 25, 2020 1:39:00 PM / by Luke Rusten posted in DFIR, Incident Response, Forensics, SecOps, InfoSec, Defense, Malware, Exploit, CVE-2020-10189, Intel Sharing, Zoho, Vulnerability, ManageEngine
The Recon incident response team recently worked an intrusion case involving a ManageEngine Desktop Central server that was affected by CVE-2020-10189.
Automating Detection Coverage Analysis with ATT&CK Navigator
Feb 13, 2020 1:52:00 PM / by Brian Greunke posted in Automation, DFIR, SecOps, Security, Threat Hunting, Defense, Graylog, Continuous Integration, MITRE ATT&CK
Staying on-top of the latest adversarial methodologies means quickly adjusting to new TTPs and requires a thorough and constant understanding of your own detection capabilities. Given a rapidly changing, dynamic environment, this level of attention can't be a manual process, it requires the magic of automation.
Integrating Graylog With TheHive
Jan 31, 2020 2:11:00 PM / by Whitney Champion posted in Automation, DFIR, Incident Response, SecOps, Security, Defense, Python, Graylog, DevOps, TheHive, Cortex, API
If you couldn't tell by now, we love Graylog. We may have mentioned them a time or two :)
Network Defense Range (NDR) Returning to BlackHat 2020
Jan 26, 2020 2:26:00 PM / by Eric Capuano posted in Incident Response, InfoSec, Training, Threat Hunting, NDR, Defense, BlackHat
We're thrilled to be accepted back to BlackHat to run our live-fire Network Defense Range (NDR) course again this year! We received overwhelmingly positive feedback from last year's attendees and we have even bigger plans this year.
Graylog and Cylance Protect Integration
Dec 23, 2019 2:37:00 PM / by Whitney Champion posted in Operations, SecOps, Security, Graylog, Logging, DevOps, API, Cylance
TL;DR - we needed to ingest multiple sources of Cylance logs into Graylog, and this is how we did it.
Brokering Other Cloud Resources Behind AWS Services
Nov 21, 2019 2:43:00 PM / by Whitney Champion posted in DFIR, Operations, SecOps, Security, ZeroTier, DevOps, AWS, Cognito, Identity Aware Proxy, Cloud
I tweeted this the other day, and had a lot of folks reach out asking for more details/a diagram of this setup.
The Infrastructure, II
Oct 17, 2019 2:48:00 PM / by Whitney Champion posted in OpenSOC, DEFCON, Events, Infrastructure
After DEF CON last year, we posted this blog about our infrastructure, which was spread between a handful of Intel NUCs, and AWS. It was epic. It was shiny and new. We loved it.