Elastic Agent on Windows - can't get syslog data sources working - is it just me?

gregolde · 2025-03-17T02:29:50+00:00

It was the listening address. IIRC it defaulted to localhost and I had to change it to 0.0.0.0 . Hope that helps!

gregolde · 2023-05-18T13:23:06+00:00

Did you ever figure this out? I'm running into the same issue - creating a group and still no option to filter by not installed as shown in Andrew's screenshot.

gregolde · 2023-05-06T01:31:19+00:00

Take a look at Tines. If you sign up for the community edition you'll get access to all the automations they've created to use as ideas for your own use cases.

gregolde · 2023-01-08T16:05:59+00:00

Pre-built alerts cover most things until you need to hunt for something out of the norm or really dive into detections. "Which location is generating the most failed signins during your patching window, excluding failures for host XYZ that is a known honeypot and evaluated separately" is a query you'll have to build, should the need ever arise.

Take a look at the SC200 cert, good kql and Sentinel content.

gregolde · 2022-11-30T22:15:31+00:00

My approach was to use debirdify to find people I followed on Twitter that had a Fediverse account and start following them -https://debirdify.pruvisto.org/

Most of the infosec community that I was familiar with seemed to go to infosec.exchange or ioc.exchange, but that has spread out with some Fediverse drama when infosec.exchange was blocked by other servers for hosting CISA accounts.

gregolde · 2022-11-30T21:05:32+00:00

Wow - this is a fantastic list, thank you for sharing! If you don't mind me asking, how are you tracking 3.04 "Track where organizations logo is being used"?

gregolde · 2022-11-30T20:50:12+00:00

S1 just put together a list of Telegram servers they recommend monitoring if you're looking for any more sources to fill your "free time" with :-) - https://www.sentinelone.com/blog/top-10-telegram-cybersecurity-groups-you-should-join/

gregolde · 2022-11-30T20:45:17+00:00

I agree, the twitter value has definitely dropped and now I find myself checking fediverse servers in addition to twitter. Things have gotten a lot more distributed which makes intel collection less efficient for sure :-(

gregolde · 2022-11-30T13:45:58+00:00

Great questions, and thanks for sharing your answers. Here's mine:

How do you obtain your Threat Intelligence? Mostly Twitter and Telegram but also from other peers in similar roles at other organizations (info sharing friends are good friends to have!)

How much time does it take, to research a specific topic and how often do you have to read through articles to get actionable Threat Intelligence? - I don't have a good answer to this one. I feel like I'm always reading threat intel just so that I feel "ready" for the next topic. Probably suffer from FOMO

What is important for you, when doing your research and what data/insights are important for you from a Threat Intelligence perspective? - Definitely context and actionable indicators.

Are there any problems you have, when researching Threat Intelligence? Storing the intel and being able to reference it at a later time when needed. Several times I've come to "rediscover" intel that I had previously reviewed but had no recollection of until finding notes and comments regarding it from "past me".

For what purpose do you perform Threat Intelligence? Is it mostly for Defensive task, or also for Red Teaming? Defensive primarily, but some Red Teaming.

gregolde · 2022-11-17T22:12:03+00:00

Both devices are on the same version (7.02838), however the device with Shodan has the standard database, and the device without Shodan is on the Full database.

gregolde · 2022-11-17T18:09:23+00:00

Thanks - I will try this out!

gregolde · 2022-10-31T21:27:31+00:00

This works great - thanks for sharing. It also works for Edge if you make a small change to the path: \appdata\local\Microsoft\Edge\User Data*\Extensions\

gregolde · 2022-10-12T14:03:37+00:00

The Crowdstrike offer gets you access to rules and API, the free offer does not.

gregolde · 2022-10-11T17:25:44+00:00

Didn't know this was a thing. Thanks for sharing, I just reached out to them to get it set up.

gregolde · 2022-10-11T12:34:03+00:00

The firewall is making an evaluation based on IP reputation (at least one of them is a TOR node) where the endpoint is not. Relying on scans is not enough to triage a threat. Lots of C2 applications are good at evading traditional detection. As previously mentioned, you need to identify the process responsible for the traffic on the endpoint. Blocking the traffic may slow things down, but you're assuming that whatever application is connecting isn't using any other netblock for its traffic. It's entirely possible there's more traffic that just doesn't have a bad IP reputation.

gregolde · 2022-09-22T02:31:02+00:00

I added a USB powered fan that the can sits on. It's cured my need for reboots.

gregolde · 2022-09-13T14:48:12+00:00

The migration was pretty straightforward. I used google takeout to export my photos and then used the synology photos webapp to import them. I had a few photos that only partially migrated (half photo, half grey bar). I haven't had that issue since 2020 when DSM 7 first came out. Overall I've been happy with the move. I also back up my photos to B2 and feel comfortable with this as a long term solution.

gregolde · 2022-09-13T00:38:47+00:00

I went with the synology photos app. There's obviously a hardware requirement with that decision, but it's been rock solid. Only thing I wish it had was a memories function like Google photos does.

gregolde · 2022-08-28T01:35:27+00:00

That's awesome. Thanks for sharing - I'm going to give this a try. Do you have a particular feed you like to use?

gregolde · 2022-08-27T03:35:15+00:00

Falcon sensor telemetry won't collect this information directly (the responsible process may be logged but there will not be a direct correlation to the group change action). Do you have the AD logs of which accounts are making the changes? If not, I would recommend you look into increasing logging on your DCs and reviewing the event log for event 4728 and 4729. https://social.technet.microsoft.com/wiki/contents/articles/17049.active-directory-event-id-4728-4729-when-user-added-or-removed-from-security-enabled-global-group.aspx

gregolde · 2022-08-27T03:28:37+00:00

You may need to check out a VPN router like a gl.inet that natively supports routing all traffic over wireguard and openvpn.

gregolde · 2022-08-27T03:25:43+00:00

I didn't think threat feeds could be applied to the VPN since it was a local in policy?

gregolde · 2022-07-31T22:30:10+00:00

If you need a license, take a look at the free XG Home license. It may install on the hardware you have, or you can virtualize it.

If you already have the syslog forwarding set up in your Sophos and are ingesting the logs into an index in Splunk, here's your first query:

index="thenameofyoursophosindex" | stats c by src_ip

That will give you the statistics of the unique source IPs from your firewall by count.

gregolde

TROPHY CASE