One of the greatest joys in my life is watching someone I know succeed.

I know some people often wonder if an Application Id they see in logs is a first-party Microsoft app, I wrote this KQL to pull down the list of apps from the MS Learn doc itself and create a table from it, so you can then query it and join to it etc - https://t.co/x9MfCefuHF

regex is like Jenga, one wrong move and the whole effing thing comes crashing down

Regex: when you want to match some characters, but not too many characters, but also maybe some other characters, but not those characters, unless they're followed by these other characters... you know what, never mind, let's just use brute force. 🤯🤯🤯

It drives me bonkers that not all SIEMs support this and why I really like analytics platforms as the basis for threat detection/response.

The choice of parsing method depends on the specific use case, the types of data being analyzed. You need all of the above available to engineers to quickly and effectively get data in front of your analysts

Rule-based parsing involves creating rules that identify specific patterns or keywords within log data and extracting relevant information. This method can be useful for specific use cases, such as identifying known threats or compliance violations.

Regular expressions are a powerful method of parsing that involves defining patterns in log data and extracting information based on those patterns. This method is useful for complex data structures that require more sophisticated parsing techniques.

Field extraction is a method of parsing that involves identifying specific fields within a log file and extracting them for analysis. This method is useful for log files with a consistent structure and specific fields that contain relevant information.

Multi-pass parsing involves analyzing the entire log file and grouping related events before performing parsing and analysis. This method can be more accurate than single-line parsing and can provide a more comprehensive view of the data.

Single-line parsing reads each line of log data as a separate event and analyzes it. This approach is useful for simple data structures and can be more efficient and faster than other parsing methods.

There are several types of log parsing methods, including single-line parsing, multi-pass parsing, field extraction, regular expressions, and rule-based parsing. The best method depends on the data structure and specific use case.

Log parsing is the process of analyzing and extracting relevant information from log data. It is a critical component of security monitoring and threat detection.

SIEM technology is like that one annoying co-worker who always has something to say but never really delivers.

🧵

The billions of dollars of investment into ChatGPT and OpenAI will be worth every cent even if all I ever use it for is to solve my regex problems.

🔍 My ultimate workflow for simple and easy JavaScript Analysis ⚡️ Comprehensive JavaScript analysis in offensive security, appsec testing, and red teaming wins. Often you can find juicy hidden endpoints, parameters, & domains buried JS! A thread 🧵 1/x 👇

If you know what the turbo button is for don't forget to take an anti-inflammatory for your back and knees today

by the end of the day detection is about reducing FPs to spot bad, any evaluation that doesn't account for that to me its just scratching the surface (and indirectly participate in alerts fatigue and ++ SOC analysis cost).

If you are an ex-member of ISC2 that has received an email in the last 6 months about potential re-certification, please DM me. RT appreciated.

Anyone know of a Phishtank equivalent for malware. Something that has subjects, senders, attachment names?