{"version":1,"pages":[{"id":"-MO7A-hOtn8Nyd0nvJNE","title":"About Cyb3rSn0rlax","pathname":"/","siteSpaceId":"sitesp_sPlap","description":"\"Snorlax is very lazy, responding only to food and sometimes a battle. Snorlax's main advantage is its huge defensive capabilities, with very few attacks\""},{"id":"-MO8IoFELaumf0xV6jTv","title":"Building an Open SIEM From Scratch","pathname":"/building-an-open-siem-from-scratch","siteSpaceId":"sitesp_sPlap","emoji":"1f9de","description":"I have used Elastic Stack few times whether in a Threat Hunting Lab or Detection & Behavior analysis contexts. This series of blogs is about sharing what I learned in the process."},{"id":"-MO7GhLSXKvsJEvUk05a","title":"1. Introduction to Elastic Stack","pathname":"/building-an-open-siem-from-scratch/1.-installing-elastic-stack","siteSpaceId":"sitesp_sPlap","description":"General Introduction and simplified guide on how to install Elastic Stack","breadcrumbs":[{"label":"Building an Open SIEM From Scratch","emoji":"1f9de"}]},{"id":"-MOILY8AJCttOPghkFnO","title":"a. Installing and configuring Elasticsearch","pathname":"/building-an-open-siem-from-scratch/1.-installing-elastic-stack/a.-installing-and-configuring-elasticsearch","siteSpaceId":"sitesp_sPlap","description":"Guide to install Elastic Stack","breadcrumbs":[{"label":"Building an Open SIEM From Scratch","emoji":"1f9de"},{"label":"1. Introduction to Elastic Stack"}]},{"id":"-MOIpztn913Gl3pdWo-r","title":"b. Installing and configuring Kibana","pathname":"/building-an-open-siem-from-scratch/1.-installing-elastic-stack/b.-installing-and-configuring-kibana","siteSpaceId":"sitesp_sPlap","description":"Installing Kibana is quite straight forward","breadcrumbs":[{"label":"Building an Open SIEM From Scratch","emoji":"1f9de"},{"label":"1. Introduction to Elastic Stack"}]},{"id":"-MOIqJj0Y88MEGnQU2-5","title":"c. Installing and configuring Logstash","pathname":"/building-an-open-siem-from-scratch/1.-installing-elastic-stack/c.-installing-and-configuring-logstash","siteSpaceId":"sitesp_sPlap","description":"Logstash requires Java","breadcrumbs":[{"label":"Building an Open SIEM From Scratch","emoji":"1f9de"},{"label":"1. Introduction to Elastic Stack"}]},{"id":"-MO7Pi5S6pCngPY97aOY","title":"2. Installing OpenDistro for Elasticsearch Plugins","pathname":"/building-an-open-siem-from-scratch/2.-installing-opendistro-for-elasticsearch-plugins","siteSpaceId":"sitesp_sPlap","description":"","breadcrumbs":[{"label":"Building an Open SIEM From Scratch","emoji":"1f9de"}]},{"id":"-MO7Q3XDGTDVIU-heaZK","title":"3. Installing ElastAlert","pathname":"/building-an-open-siem-from-scratch/3.-installing-elastalert","siteSpaceId":"sitesp_sPlap","description":"ElastAlert is an alerting project for elasticsearch maintained by YELP on GitHub : https://github.com/Yelp/elastalert","breadcrumbs":[{"label":"Building an Open SIEM From Scratch","emoji":"1f9de"}]},{"id":"-MO7QRvRZF4BjsVs6iVH","title":"4. ELK Stack: \"L\" is for Lord of the Stack","pathname":"/building-an-open-siem-from-scratch/4.-elk-stack-l-is-for-the-lord-of-the-stack","siteSpaceId":"sitesp_sPlap","description":"Logstash is my favorite tool. So much flexibility and so much to play with.","breadcrumbs":[{"label":"Building an Open SIEM From Scratch","emoji":"1f9de"}]},{"id":"-MO7Rh1ev4zzzt_rEjuC","title":"a- Event Parsing: Pipelines","pathname":"/building-an-open-siem-from-scratch/4.-elk-stack-l-is-for-the-lord-of-the-stack/b-logstash-event-parsers-pipelines","siteSpaceId":"sitesp_sPlap","description":"","breadcrumbs":[{"label":"Building an Open SIEM From Scratch","emoji":"1f9de"},{"label":"4. ELK Stack: \"L\" is for Lord of the Stack"}]},{"id":"-MO7QcvkP_L1VJTWVTpB","title":"b - Event Parsing : From Beats to Logstash","pathname":"/building-an-open-siem-from-scratch/4.-elk-stack-l-is-for-the-lord-of-the-stack/a-logstash-event-parsers-inputs-filters-an-outputs","siteSpaceId":"sitesp_sPlap","description":"","breadcrumbs":[{"label":"Building an Open SIEM From Scratch","emoji":"1f9de"},{"label":"4. ELK Stack: \"L\" is for Lord of the Stack"}]},{"id":"-MO7RpiNSgRIY-KAG_Is","title":"c- Event Normalization with ECS","pathname":"/building-an-open-siem-from-scratch/4.-elk-stack-l-is-for-the-lord-of-the-stack/c-logstash-event-parsers-event-normalization-with-ecs","siteSpaceId":"sitesp_sPlap","description":"","breadcrumbs":[{"label":"Building an Open SIEM From Scratch","emoji":"1f9de"},{"label":"4. ELK Stack: \"L\" is for Lord of the Stack"}]},{"id":"-MO7RHulvNk2ztXjRPjS","title":"5. Alerting in ELK","pathname":"/building-an-open-siem-from-scratch/5.-alerting-with-elk","siteSpaceId":"sitesp_sPlap","description":"","breadcrumbs":[{"label":"Building an Open SIEM From Scratch","emoji":"1f9de"}]},{"id":"-MO7SoIx1_TW1C5X-v-8","title":"6. Building Detection Rules","pathname":"/building-an-open-siem-from-scratch/6.-building-detection-rules","siteSpaceId":"sitesp_sPlap","description":"","breadcrumbs":[{"label":"Building an Open SIEM From Scratch","emoji":"1f9de"}]},{"id":"-MO7TBv2E7nFZK2NxUr6","title":"7. Metrics Reports & Dashboards","pathname":"/building-an-open-siem-from-scratch/7.-metrics-reports-and-dashboards","siteSpaceId":"sitesp_sPlap","description":"","breadcrumbs":[{"label":"Building an Open SIEM From Scratch","emoji":"1f9de"}]},{"id":"-MfxZNasgK3Xpf0bJlZn","title":"A Primer to Detection Engineering Dimensions in a SOC Universe","pathname":"/detection-engineering-dimensions","siteSpaceId":"sitesp_sPlap","emoji":"1f6e1","description":"In these three blog articles I will go through different dimensions that impact directly or indirectly the detection engineering process from a SOC perspective."},{"id":"-MjKOfuEymPo0SMDOD4y","title":"Operationalization","pathname":"/detection-engineering-dimensions/operationalization","siteSpaceId":"sitesp_sPlap","description":"The ability to scale, manage and tune your detections.","breadcrumbs":[{"label":"A Primer to Detection Engineering Dimensions in a SOC Universe","emoji":"1f6e1"}]},{"id":"-MjKP6UjzWy52R1dOOSl","title":"Execution","pathname":"/detection-engineering-dimensions/execution","siteSpaceId":"sitesp_sPlap","description":"The ability to collect, quantify, evaluate and enrich your data.","breadcrumbs":[{"label":"A Primer to Detection Engineering Dimensions in a SOC Universe","emoji":"1f6e1"}]},{"id":"-MjKPS4VtyQKeEpA0Iav","title":"Analytics","pathname":"/detection-engineering-dimensions/analytics","siteSpaceId":"sitesp_sPlap","description":"The ability to think like an attacker.","breadcrumbs":[{"label":"A Primer to Detection Engineering Dimensions in a SOC Universe","emoji":"1f6e1"}]},{"id":"-MQ6tbre1MLVcgAzP_S3","title":"ELK4QRadar","pathname":"/github-projects/elk4qradar","siteSpaceId":"sitesp_sPlap","description":"This project was created to help SOC MSSP teams that use QRadar SIEM with multiple clients to collecte and centralize monitoring statistics from all QRadar deployments.","breadcrumbs":[{"label":"GitHub Projects","emoji":"1f63a"}]},{"id":"-MWLgBXwV9XChM1FlJ-4","title":"Automating ELK Health Check","pathname":"/github-projects/automating-elk-health-check","siteSpaceId":"sitesp_sPlap","description":"A little project I started to learn GoLang and \"ELK_Health_Check\" is now on my GitHub page. A script to automate some of the basic troubleshooting tasks to locate issues in an elasticsearch cluster.","breadcrumbs":[{"label":"GitHub Projects","emoji":"1f63a"}]},{"id":"-MOi-3Yt2nZ3h20MM-NA","title":"DFIR-01 : $MFT","pathname":"/dfir/dfir-01-usdmft","siteSpaceId":"sitesp_sPlap","description":"The Master File Table contains information about every file and folder on the system.","breadcrumbs":[{"label":"DFIR","emoji":"1f4be"}]},{"id":"-MOmC_aLYx3XETlGpwoV","title":"DFIR-02 : Journal Forensics","pathname":"/dfir/dfir-02-journal-forensics","siteSpaceId":"sitesp_sPlap","description":"Using $LogFile and $UsnJrnl during digital investigations","breadcrumbs":[{"label":"DFIR","emoji":"1f4be"}]},{"id":"-MjE-oaVqwXqjz33YDO7","title":"DFIR-03: RDP Authentication Artifacts","pathname":"/dfir/rdp-authentication-artifacts","siteSpaceId":"sitesp_sPlap","description":"I created a Mindmap that represents different artifacts related to RDP authentication with NLA enabled or disabled to help collect and analyze forensic artifacts during DFIR engagements","breadcrumbs":[{"label":"DFIR","emoji":"1f4be"}]},{"id":"J0PCPYSnFIbPaQNk7VJg","title":"TA0006 : Credential Access","pathname":"/detection-engineering-and-threat-hunting/ta0006-credential-access","siteSpaceId":"sitesp_sPlap","emoji":"1f511","description":"","breadcrumbs":[{"label":"☢️ DEATH : Detection Engineering And Threat Hunting"}]},{"id":"WUVoeeJ9a3nN6QUGw3ZJ","title":"Detecting Remote Credentials Dumping via comsvcs.dll","pathname":"/detection-engineering-and-threat-hunting/ta0006-credential-access/detecting-remote-credentials-dumping-via-comsvcs.dll","siteSpaceId":"sitesp_sPlap","description":"Remote credential dumping via comsvcsc. Showcasing Lsassy 3.0.0 tool for stealthier approches detection.","breadcrumbs":[{"label":"☢️ DEATH : Detection Engineering And Threat Hunting"},{"label":"TA0006 : Credential Access","emoji":"1f511"}]},{"id":"-MZ_cZdouz7p0UYu6s2T","title":"TA0008 : Lateral Movement","pathname":"/detection-engineering-and-threat-hunting/lateral-movement","siteSpaceId":"sitesp_sPlap","emoji":"1f998","description":"","breadcrumbs":[{"label":"☢️ DEATH : Detection Engineering And Threat Hunting"}]},{"id":"-MZ_dAScHRukSOvz12NG","title":"Detecting Lateral Movement via Service Configuration Manager","pathname":"/detection-engineering-and-threat-hunting/lateral-movement/detecting-lateral-movement-via-service-configuration-manager","siteSpaceId":"sitesp_sPlap","description":"Using Endpoint & Network telemetry to hunt for remote service usage for lateral movement","breadcrumbs":[{"label":"☢️ DEATH : Detection Engineering And Threat Hunting"},{"label":"TA0008 : Lateral Movement","emoji":"1f998"}]},{"id":"Qyxa1WCYJXE7uyTb6ke7","title":"Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1","pathname":"/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1","siteSpaceId":"sitesp_sPlap","description":"Detection opportunities on lateral movement techniques used by CONTI ransomware group using CobaltStrike.","breadcrumbs":[{"label":"☢️ DEATH : Detection Engineering And Threat Hunting"},{"label":"TA0008 : Lateral Movement","emoji":"1f998"}]},{"id":"CztD7hk8PFJ96BumijFO","title":"Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2","pathname":"/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-2","siteSpaceId":"sitesp_sPlap","description":"Detection opportunities on lateral movement techniques used by CONTI ransomware group using CobaltStrike.","breadcrumbs":[{"label":"☢️ DEATH : Detection Engineering And Threat Hunting"},{"label":"TA0008 : Lateral Movement","emoji":"1f998"}]},{"id":"-MPZZmDzSRJjEyfSoRx9","title":"Infosec Game-Sense","pathname":"/misc/infosec-game-sense","siteSpaceId":"sitesp_sPlap","description":"You can learn a lot just by following these people (my personal opinion)","breadcrumbs":[{"label":"Misc","emoji":"1f50e"}]}]}