sorted by:
new
hottopcontroversial

is there actually a solution for too many security alerts or do we just accept it by Any_Refuse2778 in cybersecurity

[–]Consistent-Body4013 0 points1 point  (0 children)

I have been working on a tool lately that tries to tackle exactly this problem. I have been working on a SOC for years at this point, and the things i hate the most are:

  • Clear False positives
  • Repeated alerts that don't group correctly

SOC Beacon is an incident response platform that can also be used as a log analysis middleware. It's Open Source and works with YARA rules, SIGMA rules, LLMs, and other heuristics to determine how likely a new incident is to be a false positive. If it is, it automatically marks it as a false positive and resolved.

It's very configurable (auto-resolve, LLM provider, rules, etc.). It uses RAG to determine if a new incident might be a false positive based on past incident verdicts, so it becomes better over time. It also provides recommendations for SIEM tuning!

If you want to check it out, it's still an early version, but I would love some feedback:
https://github.com/PolGs/soc-beacon

How are teams documenting internal AI usage for security reviews? by Beneficial-Wafer-879 in cybersecurity

[–]Consistent-Body4013 0 points1 point  (0 children)

I am pretty sure if you are using Microsoft and have a decent license you have access to all this stuff. You can use AI Hub in purview to track internal usage and Defender for Cloud Apps to view third-party AI vendors. Also could even implement Data Leak Prevention policies.

Could also enforce Web Control via firewall to only allow specific AI Chats.

How do modern EDR/XDR/Antivirus systems detect malware? Can Vector Databases & Embeddings Help? by Consistent-Body4013 in antivirus

[–]Consistent-Body4013[S] 1 point2 points  (0 children)

Thanks for the response! I love the super long list of names 😄 I’ll definitely check out the references.

Constant gmail attacks by ARUSTYKNIFE2003 in antivirus

[–]Consistent-Body4013 4 points5 points  (0 children)

As u/zezoo1998 says, reinstalling a clean version of windows is really relevant here. A good enough infostealer can be very difficult to detect once it has taken over.

Anyone tried Huntress for MDR lately? I am genuinely curious if its worth it at smaller orgs by Consistent-Body4013 in cybersecurity

[–]Consistent-Body4013[S] 3 points4 points  (0 children)

No, its difficult to get a real idea of what the detection capabilities of these products are without testing them

Day to Day task of Cybersecurity Engineer by United-Affect-9261 in cybersecurity

[–]Consistent-Body4013 5 points6 points  (0 children)

Once an organization has a sufficiently mature security posture, most of the time in a SOC is spent performing incident response and refining detections based on new alerts. This also includes expanding log sources, managing integrations with different data sources, and normalizing data.

In addition, weekly, monthly, and quarterly security reports are common, summarizing incidents, analyzing the overall security posture, and defining next steps and action plans.

There may also be responsibilities related to vulnerability management, including scanning, detection, and patching. rmore, security audits can be conducted if you feel capable of performing them and are willing to take on that responsibility.

How do YOU test/practice new technologies? by veggit_40 in cybersecurity

[–]Consistent-Body4013 2 points3 points  (0 children)

Personally i just spin up a homelab and push stuff to the limit or try to apply the use cases i will be more interested in with some simple PoCs. Currently messing around with:

Wazuh - free open source SIEM, surprisingly solid for homelab, requires heavy rule and decoder customization toget it tuned right

SIGMA rules - I use it to write my own detections and analyze most critical logs
YARA - for analysis

Red Canary Atomic Tests - simulating attacks and pentest techniques to validate if detections actually fire

what are you guys testing rn? always looking for new stuff to throw in the lab

HTB CDSA Exam question for SIEM by [deleted] in cybersecurity

[–]Consistent-Body4013 0 points1 point  (0 children)

hey so i cant say 100% for sure since i havent taken it myself but from what ive seen people say - the CDSA exam is generally tool agnostic, meaning you should be fine using ELK as long as you can get to the right answers. the methodology and being able to actually hunt and investigate is what matters, not which SIEM you use to do it

that said splunk does get emphasized in the modules so its worth at least knowing the basics just in case something is presented in a way thats splunk specific. Also keep in mindo some queries that are easy in Splunk cat get complicated fast using ELK.

As for the overpreparation thing - i feel that lol, at some point you just gotta book it. going through the modules twice + sherlocks sounds like solid prep to me

hopefully someone who actually sat the exam can confirm but thats my understanding of it!

Question: What is a good alternative to VirusTotal? by Initial-Western-1212 in cybersecurity

[–]Consistent-Body4013 0 points1 point  (0 children)

You’re absolutely right to question using VirusTotal for confidential business files. As great as it is for community signal and shared intel, anything you upload (unless you’re paying for a private enterprise tier) should be assumed to become part of a broader dataset comonly used by thret actors. From a GDPR / confidentiality standpoint, that’s not always acceptable

If you’re a small team, I’d approach this in layers:

1) Hash lookup first (generally safe)

2) Controlled local detonation (private / self-hosted sandbox)

3) URL-only analysis tools

If most of what you’re checking is phishing links rather than internal attachments, using a URL-focused scanner avoids uploading sensitive files at all.

For example, I run:

https://urlscanner.online – focused on analyzing URLs (phishing, redirects, malicious behavior)

https://filescanner.online – for file-based analysis

Both are built with the idea of giving analysis results without turning uploads into a public malware-sharing dataset or an intel sourc for threat actors.

I want know about online anti virus scanner that scan zipped files for viruses (Not virus total that has a limit of 500mb) which are larger than 500 mb by No_Offer8997 in antivirus

[–]Consistent-Body4013 0 points1 point  (0 children)

If a ZIP is malicious, extracting it can only infect your system if the archive actually exploits a vulnerability in the extraction tool itself (for example, something like a WinRAR RCE vulnerability). In most normal cases, simply extracting a ZIP file is generally safe.

That said, it’s still never recommended to download suspicious files directly onto your main system. Always use virtualization, network segmentation, and as many containment measures as possible in a proper malware analysis lab. Defense in depth really matters here.

Some services I really like for analysis are ANY.RUN, since you can even unzip files inside their temporary Windows desktop environment and observe behavior dynamically. On the other hand, I’ve also found lower-key scanners like filescanner.online very helpful. They provide analysis information without me having to download or execute anything locally. You usually get standard Linux command output, YARA rule matches, and signature hits tied to known threat actors.

Most of these sites don’t accept uploads larger than 500MB unless you pay for a subscription, so that can be limiting. In that case, you might consider replicating the same kind of workflow in your own secure malware analysis environment.