🎉 Just dropped a new Kunai release! 🎉

We've been working hard on some exciting new features and performance boosts that we can't wait for you to try out! Here's what's new:

New Features:
🔍 Track io_uring operations with new io_uring_sqe events!
📝 Get more context with parent command line information for execve and execve_script events.
🔎 Get information about matching filtering rules in final events.
🧪 Test your filters with ease using the new test command.

Improvements:
⚡ Experience performance boosts thanks to changes in the event matching engine and code refactoring.

Ready to dive in? Check out the full release notes here: https://github.com/kunai-project/kunai/releases/tag/v0.6.0

Don't hesitate to give Kunai a try and share your feedback! Let's make Kunai even better together!

#Linux #ThreatHunting #ThreatDetection #DFIR #DetectionEngineering #OpenSource

🚀 Kunai Sandbox is now live! 🚀

Curious about Kunai? Want to analyze Linux malware logs? Or share malware analysis to build detection rules? Kunai Sandbox has you covered! 🛡️

🔍 Check out what Kunai can do:
✅ Explore Kunai's log structure without running it locally
✅ Analyze logs generated by Linux malware
✅ Share malware analysis with others to build detection rules

🔗 See an example analysis of the perfctl #linux #malware: https://sandbox.kunai.rocks/analysis/59edbf8c-41b7-4144-97e0-9b0571446c02

#detectionengineering #infosec #dfir #soc

I wrote a @greynoise blog about Suricata, poor documentation, overlapping RFCs, and weird historical choices. Hope you like it!

If you like "things about Suricata that annoy Ron" blogs, let me know.. I have way more. :)

https://www.labs.greynoise.io/grimoire/2025-06-05-suricata-url-decoding/

#infosec #detectionengineering #blog

Blog posts from Recon Infosec regarding building detection capabilities using Sigma;

- SigmaHQ Essentials - Building Robust Detection Capabilities: https://blog.reconinfosec.com/sigmahq-essentials-building-robust-detection-capabilities

- SigmaHQ Essentials - Building Robust Detection Capabilities - Part 2: https://blog.reconinfosec.com/sigmahq-essentials_-building-robust-detection-capabilities-part-2

#sigma #detectionengineering

This blog is a little bitter, but it's what it is🫠

Detecting Vulnerable Drivers (a.k.a. LOLDrivers) the Right Way

https://academy.bluraven.io/blog/detecting-vulnerable-drivers-using-defender-for-endpoint-kql

#ThreatHunting #DetectionEngineering

I published a blog post about testing Security Onion's DNS C2 detection capabilities: https://akusilvennoinen.fi/posts/security-onion-dns-c2/

Sliver DNS C2 traffic is not detected by Security Onion 2.4.111 using the default detection rules.

None of the Security Onion detections (at least from the default sources) are statistical anomaly detections or some other behavioral detections, and detecting DNS C2 traffic requires a statistical or some other behavioral method to avoid an excessively high number of false positives.

Security Onion 2.4.111 contains Zeek (formerly known as Bro), a network traffic analysis framework. Zeek can be used for defining statistical detections with its event-driven scripting language.

Jeremy Baggs has developed Zeek scripts for detecting anomalous DNS traffic. The scripts are available at https://github.com/jbaggs/anomalous-dns.

The blog post describes a method for adding these scripts to Security Onion.

#securityonion #sliver #zeek #detectionengineering

🔍 Detection rules are only as good as the tests behind them. 💡📊

Ariel Ropek's #BSidesBoulder25 talk "Incorporating End to End Integration Tests into your Detection Engineering Workflow" will provide a practical guide to moving beyond brittle unit tests and validating detections with full attack simulations. If you're building detection-as-code or maintaining a SIEM, this talk is your blueprint for making sure your alerts fire when it really matters! #BSides #BSidesBoulder #CyberSecurity #DetectionEngineering #E2ETesting #CyberDefense

Check out our full schedule at https://bsidesboulder.org/schedule/

Tickets are available for purchase for our 13 June event here: https://www.eventbrite.com/e/bsides-boulder-2025-registration-1290129274389

Okta has published a decent repository of custom detection and hunting queries for your Okta tenant. I highly recommend taking a look and considering implementation, bearing in mind the likelihood of false positives.

I also recommend monitoring for any user enabling impersonation access for support cases. This allows Okta engineers into your tenant, and threat actors will abuse this to pivot. Any attempts to turn this on should be audited to ensure it aligns with remote troubleshooting with Okta engineers.

Finally, audit any Okta admins who run reports from the admin portal. Threat actors love these reports to identify org MFA policies, password health, and admin role assignments.

https://sec.okta.com/articles/2025/05/leveraging-okta-syslogs-for-proactive-threat-detection/

https://support.okta.com/help/s/article/approving-a-read-only-impersonation-access-request-for-a-support-case?language=en_US

https://help.okta.com/en-us/content/topics/reports/report-types.htm

#cti #detectionengineering #soc #threatintel