I wanted to write about the importance of checking for new services as this is an avenue in which attackers leverage their persistence methods. While looking at newly created services… [Continue Reading]
Accountability is important, and sometimes we might need to investigate who made certain changes at a specific time, or ensure that our privileged accounts are not logging in to other… [Continue Reading]
Two articles ago I covered how to monitor Active Directory using ELK. Now you should be seeing account login information (successful logins, failed logins, lockouts, etc.). However; When looking at… [Continue Reading]
There’s been plenty of instances where I have to go through an investigation after a user has clicked on a phishing email and find out what happened later. After performing… [Continue Reading]
Can you tell me where this account is getting locked out from? is a frequent question that I would get often by Help Desk, or anyone in general; therefore, I… [Continue Reading]
Since I’ve struggled to get McAfee ePO to send syslogs to my ELK environment, I decided to leverage the SQL JDBC driver and logstash JDBC plug-in to pull threat records… [Continue Reading]
The following configuration will make it easier to parse Syslog messages sent from your Websense appliance to your ELK stack. If you need assistance setting up SIEM integration with Websense… [Continue Reading]
After seeing a vast amount of phishing emails coming through, I’ve decided to implement an additional protection by tagging possible phishing emails by applying my own set of conditions to… [Continue Reading]
I have a work requirement to look up zip codes based on incomplete addresses (street, city, state, etc) – this could be accomplished by going into Google Maps and plugging… [Continue Reading]
This is a quick one but definitely helpful: <# Utilize the -ResultSize Unlimited only when you are done formatting and testing your command. If you have a big Exchange environment,… [Continue Reading]