rcegan
@rcegann
Followers
395
Following
40K
Media
25
Statuses
2K
Microsoft Sentinel Practice Lead @ MSSP. Defender, Detection Engineering, Threat Emulation. Blog-haver. Hack the planet.
Australia
Joined September 2012
If anyone has designed Detection as Code repos and pipelines with CI/CD pushing content to *many* SIEM instances simultaneously, I'd love to talk! Designing something similar and I want to compare notes.
2
0
5
After 6 years in the industry and multiple years fiddling with ci/cd pipelines, the day has come for me to finally perform a 3-way git merge.
0
0
3
In keeping with the tenets of Elastic's detection engineering maturity model, I am going to spin up a DaC lab and see how we go. The native Sentinel 'Repositories' feature is a little underbaked, and I need to support multiple SIEM platforms, so should be good fun. 😎.
I like detection as code in theory but the management overhead that comes with maintaining a huge repo of example logs and constantly running CI/CD unit tests, writing scripts to convert detections into their SIEM-native format, pushing them via API. I don't get it for most.
0
0
10
As a detection engineer, detection objectively sucks compared to prevention ;). Stop the baddies first, and keep the SOC alerts low :)).
This is also because a threat actor is quite likely to be operating from a device not under your management, so your tools aren't deployed to it, or they are using a vector not covered by security tools like social engineering. This is what makes device compliance such a strong.
0
0
10
Anyone ever setup the 'Repositories' feature in Microsoft Sentinel and had it work across multiple tenants? 👀.
0
0
0
I love spending hours and hours re-writing my Sentinel 'TI map' queries to use the new sentinel Threat Intel table 🙃.
0
0
3
I like detection as code in theory but the management overhead that comes with maintaining a huge repo of example logs and constantly running CI/CD unit tests, writing scripts to convert detections into their SIEM-native format, pushing them via API. I don't get it for most.
3
8
43
Threat Intel is collecting 70+ links to read, not reading any of them for months, then speedreading every article in one go. Then the process resets.
0
0
2
Was related to a block for Advanced IP Scanner. However, looking at the hash in the alert versus the endpoint block list (and the tenant allow/block list), there was no match. Very curious.
0
0
2
Fixed! I had to go through all the Sentinel alerts and extract the hashes from the Entities, and I eventually found the hashes that were causing the alerts in the endpoint block list. After removing them, everything's quiet. Hopefully MS can make the UI experience better 👀.
do I actually have to remove every single hash in this Defender tenant to stop 'CustomEnterpriseBlock' from triggering?? I've scraped the alerts triggering the detection repeatedly via Sentinel and 80% of the hashes aren't even in the block list 😓.
1
0
5
Being an MSSP is painful sometimes. every solution is at least 10x more complicated, and another additional 10x when you're working across multiple platforms 🙃.
0
0
1
do I actually have to remove every single hash in this Defender tenant to stop 'CustomEnterpriseBlock' from triggering?? I've scraped the alerts triggering the detection repeatedly via Sentinel and 80% of the hashes aren't even in the block list 😓.
2
0
3
Time for a new homelab server! Going with a Minisforum BD795i with a Ryzen 9 7945HX to supercede my current server with a 3900X 👀. 16C/32T in an ITX chassis, 96GB of RAM. *slaps roof* this baby can fit so many LOGS in it
0
0
0
Nice change by the @kalilinux team aligning the tools menu to MITRE. :). Feeling nostalgic about Backtrack now, too.
0
0
2
Any good red team/offensive ops books that are recommended? Trying to broaden my horizons 😁.
0
0
1
New year, old tricks . YourProcessEvents.| extend ProcessCommandLine = tolower(ProcessCommandLine).| extend Parsed_ProcessCommandLine = parse_command_line(ProcessCommandLine, "windows").| where Parsed_ProcessCommandLine has_all ("lsass.exe", "comsvcs")
0
0
1
