As part of the #OpenSOC event Recon InfoSec recently conducted, we wanted to visualize where all of our participants were coming from. We had several data points to work from, and there are plenty of open tools available, so it is just a matter of cobbling those items together to create a sweet, sweet map.

Let me first say, on behalf of the Recon team, we cannot thank the community enough for joining us last week.

Hello OpenSOC fam! First and most importantly, we hope that you and yours are healthy and happy in these unprecedented times.

The Recon incident response team recently worked an intrusion case involving a ManageEngine Desktop Central server that was affected by CVE-2020-10189.

Staying on-top of the latest adversarial methodologies means quickly adjusting to new TTPs and requires a thorough and constant understanding of your own detection capabilities. Given a rapidly changing, dynamic environment, this level of attention can't be a manual process, it requires the magic of automation.

If you couldn't tell by now, we love Graylog. We may have mentioned them a time or two :)

We're thrilled to be accepted back to BlackHat to run our live-fire Network Defense Range (NDR) course again this year! We received overwhelmingly positive feedback from last year's attendees and we have even bigger plans this year.

TL;DR - we needed to ingest multiple sources of Cylance logs into Graylog, and this is how we did it.

I tweeted this the other day, and had a lot of folks reach out asking for more details/a diagram of this setup.

After DEF CON last year, we posted this blog about our infrastructure, which was spread between a handful of Intel NUCs, and AWS. It was epic. It was shiny and new. We loved it.