Collaborate Disseminate
I’m having a difficult time understanding why windows event id 4732 (A member was added to a security-enabled local group) got triggered whenever a new user was added to: group: Users, group domain name: builtin. So I guess this means they… Continue reading Event ID 4732 when user got added to Builtin/Users group [migrated]
I am learning about rule creation. But I’m not sure what I’m doing wrong. I am trying to detect a "DHCP Renew Lease" activity of users from a subnet after 8pm
events were detected by one or more of *Firewall"
source IP is o… Continue reading SIEM rule fine-tuning [closed]
I know of a user within my network who initiated a VPN connection within my network. What are ways I’ll be able to find out the identity of user, searching port numbers? specific protocol established?
I am Using IBM qradar for monitoring a… Continue reading Identify user with a VPN connection within the network
It is known that ISP has to log various network data for various purposes, such as law enforcement needs.
However, what are some examples of software tools used by ISPs to browse this huge amount of network logs?
In addition, how time-cons… Continue reading Which tools ISPs use for browsing logs?
We’re manually reading HTTPD log files and taking note of service abuse.
Example:
10.0.0.1 – – [01/Jan/1970:00:01:01 -0100] "GET /fckeditor/editor/filemanager/connectors/php/upload.php?Type=Media
…
10.0.0.2 – – [01/Jan/1970:00:01:10… Continue reading Is there a utility that identifies attack footprints in HTTPD log files? [duplicate]
We’re manually reading HTTPD log files and taking note of service abuse.
Example:
10.0.0.1 – – [01/Jan/1970:00:01:01 -0100] "GET /fckeditor/editor/filemanager/connectors/php/upload.php?Type=Media
…
10.0.0.2 – – [01/Jan/1970:00:01:10… Continue reading Is there a utility that identifies attack footprints in HTTPD log files? [duplicate]
Logging and monitoring tends to be an expensive endeavor because of the sheer amount of data involved. Companies are therefore forced to pick and choose what they monitor, limiting what they can see. Coralogix wants to change that by offering a more flexible pricing model, and today the company announced a $25 million Series B […] Continue reading Coralogix lands $25M Series B to rethink log analysis and monitoring
We are collecting network traffic from switches using Zeek in the form of ‘connection logs’. The connection logs are then stored in Elasticsearch indices via filebeat. Each connection log is a tuple with the following fields: (source_ip, d… Continue reading Baselining internal network traffic (corporate) [migrated]
Lately I am seeing multiple daily 404s for variations of “license.txt”, e.g., “wordpress/license.txt”, “blog/license.txt”, “old/license.txt”, “new/license.txt”. Here’s a little snippet of slightly redacted logfile to illustrate:
5.189.164… Continue reading Why is my web site being scanned for license.txt, and should I be worried?
Road to Detection: YARA-L Examples — Part 4 of 3
Upon reading all of Part 1, Part 2 and Part 3 of my blog series that revealed our (Chronicle) approach to detection, many of you asked for more YARA-L detection language examples.
… Continue reading Road to Detection: YARA-L Examples — Part 4 of 3