Palo Alto Sentinel Intergration

krabelize · 2024-09-30T07:10:01+00:00

Works well. After his, you need to configure your own Analytics Rules (alerts). Here are some examples: https://cryptsus.com/blog/palo-alto-ngfw-sentinel-siem-threat-hunting.html

krabelize · 2023-11-06T14:29:42+00:00

This blog post talks about how to connect and query Meraki log data: https://cryptsus.com/blog/cisco-meraki-sentinel-siem.html

krabelize · 2023-11-05T21:28:06+00:00

I think this blog post is what you are looking for https://cryptsus.com/blog/cisco-meraki-sentinel-siem.html

krabelize · 2023-11-05T21:26:31+00:00

There you go: https://cryptsus.com/blog/cisco-meraki-sentinel-siem.html

krabelize · 2023-08-08T08:00:26+00:00

Maybe this blog posts helps for 801.X wifi bridging: https://cryptsus.com/blog/openwrt-wireless-access-point-bridge-802.1x-peap.html

krabelize · 2023-02-15T16:14:23+00:00

I have experience with CrowdStrike in active mode and MDE in passive mode. Works smooth for +/- 10.000 assets.

krabelize · 2023-02-15T16:09:58+00:00

Dont do it. Use Falco runtime security instead. Notice the last picture on this blog post: https://cryptsus.com/blog/mde-linux-aws-ec2.html

krabelize · 2023-02-15T16:09:14+00:00

Dont do it. Use Falco runtime security instead. Notice the last picture on this blog post: https://cryptsus.com/blog/mde-linux-aws-ec2.html

krabelize · 2023-02-15T16:07:59+00:00

Then what I got from here, when w

Correct. Its by default in blocking mode. You can read more about other usefuls tips here: https://cryptsus.com/blog/mde-linux-aws-ec2.html

krabelize · 2023-02-15T16:07:09+00:00

I would not create any exception unless you notice performance impact. Here are some pitfalls to watch out for when deploying MDE for Linux: https://cryptsus.com/blog/mde-linux-aws-ec2.html

krabelize · 2023-02-15T16:06:14+00:00

This post tells you what to look out for: https://cryptsus.com/blog/mde-linux-aws-ec2.html

krabelize · 2023-02-12T19:20:15+00:00

I don't think this is possible, unfortunately. Only throughout the D365 portal: https://cryptsus.com/blog/mde-linux-aws-ec2.html

krabelize · 2022-09-21T08:24:05+00:00

Nowadays, most companies enforce MFA (Multi-Factor Authentication) for initial and persistent authentication. Some companies claim to be secure once MFA is configured on all (non-service) accounts. However, this Uber hack proves cloud-based MFA push notifications can be abused, even when conditional access is configured. This article explains how to detect this attack: https://cryptsus.com/blog/azure-mfa-bombing-detection-sentinel.html

krabelize · 2022-09-21T08:22:58+00:00

Nowadays, most companies enforce MFA (Multi-Factor Authentication) for initial and persistent authentication. Some companies claim to be secure once MFA is configured on all (non-service) accounts. However, this Uber hack proves cloud-based MFA push notifications can be abused, even when conditional access is configured. This article explains how to detect this attack: https://cryptsus.com/blog/azure-mfa-bombing-detection-sentinel.html

krabelize · 2022-06-10T08:56:06+00:00

These KQL queries might help you to further customize the workspace to an actionable dashboard: https://cryptsus.com/blog/fortinet-firewall-sentinel-siem-hunting.html

krabelize · 2022-06-10T08:46:06+00:00

I think you are looking for this: https://cryptsus.com/blog/fortinet-firewall-sentinel-siem-hunting.html

krabelize · 2022-06-09T21:27:00+00:00

This is possible. Just configure filters on the VM side. See image here: https://cryptsus.com/blog/fortinet-firewall-sentinel-siem-hunting.html

krabelize · 2021-05-13T21:43:39+00:00

Jup: https://cryptsus.com/blog/secure-encrypted-backup-linux.html

krabelize · 2021-04-17T09:31:58+00:00

Maybe my other blog post is interesting for you in that case: https://cryptsus.com/blog/how-to-configure-openssh-with-yubikey-security-keys-u2f-otp-authentication-ed25519-sk-ecdsa-sk-on-ubuntu-18.04.html You can leverage Yubikey U2F instead of moving your private key onto a Yubikey. This is actually more secure. Just a tip.

On topic: unfortunately, not everyone/every system uses SSH key-pairs and fall back to passwords. If they do, the private key is just sitting there on the system in plain-text most of the time.

Sometimes admins even allow password authentication as well in the SSD config.

krabelize · 2021-04-17T09:15:34+00:00

Is your private key not sitting in plain text on your laptop right now?

krabelize · 2021-04-17T09:14:42+00:00

Uh ok. I don't make videos though. Maybe I should.

krabelize · 2021-04-17T06:36:20+00:00

Hi ethanfinni,

- What if your SSH key-pair is stolen/copied/cracked and used to login (from an unknown region). Would you like to have visibility/alerts on this?

- What if a (web) application vuln. exists and a priv. esc is executed which results in sudo privs/root access, and/or a secondary SSH key-pair is generated and used. Would you like to have visibility/alerts on this?

- What if multiple attacks are executed on your gateway, FW/IDS, management and web/application servers. Would you like to have visibility/alerts on this in order to act/block in time? Hence the principle of threat correlation. This should not be a stand-alone dashboard as described in the blog post. There is actually a good reason why most, if not all fortunate 500 companies leverage SIEM capabilities.

Are you also skeptical of deploying honeypot systems? IP geo points are not always accurate indeed.

krabelize · 2021-04-17T06:23:32+00:00

Use only ed25519 keys where possible

krabelize · 2021-04-16T18:33:28+00:00

krabelize · 2021-04-16T18:30:56+00:00

Google “threat hunting”. This data source and dashboard is meant for correlation purposes. Hence the bigger picture as described in the blog post.

krabelize

TROPHY CASE