# Cyb3rSn0rlax ## Cyb3rSn0rlax - [About Cyb3rSn0rlax](https://www.unh4ck.com/master.md): "Snorlax is very lazy, responding only to food and sometimes a battle. Snorlax's main advantage is its huge defensive capabilities, with very few attacks" - [Building an Open SIEM From Scratch](https://www.unh4ck.com/building-an-open-siem-from-scratch.md): I have used Elastic Stack few times whether in a Threat Hunting Lab or Detection & Behavior analysis contexts. This series of blogs is about sharing what I learned in the process. - [1. Introduction to Elastic Stack](https://www.unh4ck.com/building-an-open-siem-from-scratch/1.-installing-elastic-stack.md): General Introduction and simplified guide on how to install Elastic Stack - [a. Installing and configuring Elasticsearch](https://www.unh4ck.com/building-an-open-siem-from-scratch/1.-installing-elastic-stack/a.-installing-and-configuring-elasticsearch.md): Guide to install Elastic Stack - [b. Installing and configuring Kibana](https://www.unh4ck.com/building-an-open-siem-from-scratch/1.-installing-elastic-stack/b.-installing-and-configuring-kibana.md): Installing Kibana is quite straight forward - [c. Installing and configuring Logstash](https://www.unh4ck.com/building-an-open-siem-from-scratch/1.-installing-elastic-stack/c.-installing-and-configuring-logstash.md): Logstash requires Java - [2. Installing OpenDistro for Elasticsearch Plugins](https://www.unh4ck.com/building-an-open-siem-from-scratch/2.-installing-opendistro-for-elasticsearch-plugins.md) - [3. Installing ElastAlert](https://www.unh4ck.com/building-an-open-siem-from-scratch/3.-installing-elastalert.md): ElastAlert is an alerting project for elasticsearch maintained by YELP on GitHub : https://github.com/Yelp/elastalert - [4. ELK Stack: "L" is for Lord of the Stack](https://www.unh4ck.com/building-an-open-siem-from-scratch/4.-elk-stack-l-is-for-the-lord-of-the-stack.md): Logstash is my favorite tool. So much flexibility and so much to play with. - [a- Event Parsing: Pipelines](https://www.unh4ck.com/building-an-open-siem-from-scratch/4.-elk-stack-l-is-for-the-lord-of-the-stack/b-logstash-event-parsers-pipelines.md) - [b - Event Parsing : From Beats to Logstash](https://www.unh4ck.com/building-an-open-siem-from-scratch/4.-elk-stack-l-is-for-the-lord-of-the-stack/a-logstash-event-parsers-inputs-filters-an-outputs.md) - [c- Event Normalization with ECS](https://www.unh4ck.com/building-an-open-siem-from-scratch/4.-elk-stack-l-is-for-the-lord-of-the-stack/c-logstash-event-parsers-event-normalization-with-ecs.md) - [5. Alerting in ELK](https://www.unh4ck.com/building-an-open-siem-from-scratch/5.-alerting-with-elk.md) - [6. Building Detection Rules](https://www.unh4ck.com/building-an-open-siem-from-scratch/6.-building-detection-rules.md) - [7. Metrics Reports & Dashboards](https://www.unh4ck.com/building-an-open-siem-from-scratch/7.-metrics-reports-and-dashboards.md) - [A Primer to Detection Engineering Dimensions in a SOC Universe](https://www.unh4ck.com/detection-engineering-dimensions.md): In these three blog articles I will go through different dimensions that impact directly or indirectly the detection engineering process from a SOC perspective. - [Operationalization](https://www.unh4ck.com/detection-engineering-dimensions/operationalization.md): The ability to scale, manage and tune your detections. - [Execution](https://www.unh4ck.com/detection-engineering-dimensions/execution.md): The ability to collect, quantify, evaluate and enrich your data. - [Analytics](https://www.unh4ck.com/detection-engineering-dimensions/analytics.md): The ability to think like an attacker. - [ELK4QRadar](https://www.unh4ck.com/github-projects/elk4qradar.md): This project was created to help SOC MSSP teams that use QRadar SIEM with multiple clients to collecte and centralize monitoring statistics from all QRadar deployments. - [Automating ELK Health Check](https://www.unh4ck.com/github-projects/automating-elk-health-check.md): A little project I started to learn GoLang and "ELK\_Health\_Check" is now on my GitHub page. A script to automate some of the basic troubleshooting tasks to locate issues in an elasticsearch cluster. - [DFIR-01 : $MFT](https://www.unh4ck.com/dfir/dfir-01-usdmft.md): The Master File Table contains information about every file and folder on the system. - [DFIR-02 : Journal Forensics](https://www.unh4ck.com/dfir/dfir-02-journal-forensics.md): Using $LogFile and $UsnJrnl during digital investigations - [DFIR-03: RDP Authentication Artifacts](https://www.unh4ck.com/dfir/rdp-authentication-artifacts.md): I created a Mindmap that represents different artifacts related to RDP authentication with NLA enabled or disabled to help collect and analyze forensic artifacts during DFIR engagements - [TA0006 : Credential Access](https://www.unh4ck.com/detection-engineering-and-threat-hunting/ta0006-credential-access.md) - [Detecting Remote Credentials Dumping via comsvcs.dll](https://www.unh4ck.com/detection-engineering-and-threat-hunting/ta0006-credential-access/detecting-remote-credentials-dumping-via-comsvcs.dll.md): Remote credential dumping via comsvcsc. Showcasing Lsassy 3.0.0 tool for stealthier approches detection. - [TA0008 : Lateral Movement](https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement.md) - [Detecting Lateral Movement via Service Configuration Manager](https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-lateral-movement-via-service-configuration-manager.md): Using Endpoint & Network telemetry to hunt for remote service usage for lateral movement - [Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1](https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1.md): Detection opportunities on lateral movement techniques used by CONTI ransomware group using CobaltStrike. - [Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2](https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2.md): Detection opportunities on lateral movement techniques used by CONTI ransomware group using CobaltStrike. - [Infosec Game-Sense](https://www.unh4ck.com/misc/infosec-game-sense.md): You can learn a lot just by following these people (my personal opinion) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on a page URL with the `ask` query parameter: ``` GET https://www.unh4ck.com/master.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.