Claus Cramon Houmannhey @infosystir did you see what @armengar did? https://www.youtube.com/watch?v=5b0_41WhHNY&list=PLBAUUhONOrO9N0asZ-XF1ilKfdGgeSmyr&index=36
armengar@claushoumann @infosystir Let me know if you have questions, it's very much a POC but we ripped through around 350 procedures thus far for our DE team to use
@armengar @infosystir for Moloch, now rebranded to TIDeMEC it’s going a bit slower than that, the learning curve got restarted a bit when we dug a bit deeper in TVM granularity to integrate attack path modeling by chaining TVMs. But the results are superb for IR contextualization and high quality detections. TVM granularity is now variable, you can basically expand/unfold any TVM into parts whenever you need to. Like inserting extra rows into a lattice
@claushoumann @infosystir nice! I think the attack path modeling is really key, I was also really interested in this idea of "chokepoint mapping" where you align the procedures in order and overlay them across groups or campaigns to identify the most impactful procedure to detect or mitigate to stop the most attacks
@armengar @infosystir other changes: deep/full understanding of the APIs of Splunk, Sentinel, CBC, full modularity for others to contribute same for other platforms, and turn off visual representation of what you don’t use. And so much more :). But really need a community here soon
@claushoumann @infosystir can’t wait to see it! Watched the video from hack.lu - open source end of this year or early next right?
@armengar @infosystir but so much still not done. No server sync between different entities yet, no ingestion of fired triaged detections for OODA loops, no testing, no emulation integration yet, no community feedback module (this vertical or this this size company found this detection objective useful, but this other vertical had too much noise with it etc), no Software and Software submodules models yet (Mimikatz as sw as example, mimikatz LSASS dumper as a