Evan Greer π³οΈββ§οΈ
β£ Political & Economic Leftist πΉ
β£ Tabletop Roleplayer
β£ Longevity Enthusiast
β£ Healthcare CyberSec Incident Responder & Threat Hunter
πππ’ππ‘ πΈπ₯π₯ππ§
- 50 Followers
- 152 Following
- 202 Posts
β£ Husband & Father
β£ Political & Economic Leftist πΉ
β£ Tabletop Roleplayer
β£ Longevity Enthusiast
β£ Healthcare CyberSec Incident Responder & Threat Hunter
β£ Political & Economic Leftist πΉ
β£ Tabletop Roleplayer
β£ Longevity Enthusiast
β£ Healthcare CyberSec Incident Responder & Threat Hunter
Two easy and important tools to baseline for exclusions and monitor in many large environments are psexec and winexe. Sending Win Event Log 4866 to #splunk if you don't have an endpoint agent is a good place to start with this intrusion alert.
Sometimes you can catch malware in #splunk w/ an intrusion alert to look for common executable names located in places they shouldn't be. These can be noisy so baselining the environment first is important to build proper exclusions. See below.
Many orgs use MS Exchange in the cloud. If audit logs are ingested into #splunk you can create an alert that looks for accounts with webmail logins, using more than 1 IP per session, where the account has a recent new inbox rule created.
In yesterday's post the #splunk alert counted events to find a log source that was below 300. The SPL created a value of 0 if none was found. The below SPL today uses the COALESCE command to bring all sources together and alert on low values.
Yesterday's post:
https://infosec.exchange/@0xDEADKEITH/111411525405519136
πππ’ππ‘ πΈπ₯π₯ππ§ (@[email protected])
Attached: 1 image If you are going to monitor logs for threats in #splunk you also need to know when a log outage occurs for vital sources! An alert can monitor for the absence or degradation of logs. The alert below looks if a log source goes below 300 events. #informationsecurity #cybersecurity
If you are going to monitor logs for threats in #splunk you also need to know when a log outage occurs for vital sources! An alert can monitor for the absence or degradation of logs. The alert below looks if a log source goes below 300 events.
Bad actors sometimes try exfil through port 53. Depending on your firewall data, it can be tough to spot this. Below in #splunk I look for unblocked traffic where median transfer volume is higher than 5 standard deviations from the norm.
TProphetYour periodic reminder that bailing out Silicon Valley Bank cost more than the entire US food stamp program, and happened overnight with zero debate.
When monitoring a network using #splunk logs you often want to bucket time (maybe by the hour) and then add up all the bytes transferred between the same source and destinations. SUM with EVENTSTATS and DEDUP makes this possible.
Charlie StrossREMINDER: ChatGPT, Stable Diffusion, and other large trained neural models are NOT "artificial intelligence", they're just stochastic parrots, remixing and regurgitating what they've been fed. There's no theory-of-mind involved, so no understanding: there's no "there" there. (A real live parrot exhibits more intelligence than this.)
Don't call it AI; call it parrot-tech. That way you'll have a better perspective on what it can (and can't) do.