This final part outlines a practical guide for integrating Sigma into an Elastic Security Operations Center (SOC) workflow, focusing on the Rhysida Ransomware. It details a step-by-step implementation process, including identifying adversarial tactics, writing and translating Sigma rules, and deploying detection systems, enhancing detection agility within the SOC environment.
Category Archives: Microsoft
Part 1: Sigma – The Universal Language of Threat Detection (History, Reasons, and Benefits)
The modern Security Operations Center (SOC) faces challenges due to fragmented security tools requiring different query languages, leading to slow threat intelligence adoption. Sigma offers a standardized, open-source solution that abstracts detection logic, enabling efficient, multi-platform query generation. This framework allows security teams to focus on strategy rather than syntax, enhancing defense capabilities.
Detecting Microsoft 365 Phishing and Direct Send Abuse with Elastic
Elastic’s public detection rules enhance defenses against phishing and spoofing in Microsoft 365, particularly concerning Direct Send abuse. This feature allows unauthenticated email sending, posing risks. Elastic’s flexible detection engine facilitates the creation of rules to identify such threats, aligning with MITRE ATT&CK for comprehensive security monitoring and response strategies.
Powershell commands for Security and System Administration (Part 2)
This blog post presents useful PowerShell commands aimed at security engineers and system administrators, focusing on audit and log analysis, malware and threat hunting, and system hardening. Key commands include monitoring login events, checking for suspicious scheduled tasks, verifying Windows Defender status, and disabling SMBv1 to enhance system security.
Powershell commands for Security and System Administration (Part 1)
The blog outlines essential PowerShell commands for system administration, focusing on fault investigation, security assessments, and incident response. It covers commands for system and process monitoring, network and firewall analysis, and user and permission management. The author intends to develop their skills and provide a valuable resource for similar tasks.
Running an Elasticsearch cluster using Docker (Windows).
This blog contains a guide on how to deploy a small Elasticsearch cluster for testing and development purposes on a windows host using Docker.
How to Activate Office
This article contains a step-by-step guide on how to activate Office LTSC 2021 on Windows when there is no option to use the internet. Steps on how to install Office LTSC 2021 on Windows can be found here: https://plannedlink.io/2024/01/06/how-to-install-office-ltsc-2021/ If you experience problems activating Office 2021 or Office 2019, see This product is already installed on anotherContinue reading “How to Activate Office”
How to install Office LTSC 2021
This article contains a step-by-step guide on how to install Office LTSC 2021 on Windows.
Connect to VPN on Startup Before Login
If like me you have a need to establish a VPN from a host to another or even to a secure management network, you might like to configure your host device to establish a connection at boot rather than lose remote connectivity if the device reboots.
Connect to AzureAD
Quite often the basic logic of how to connect to Azure Active Directory with PowerShell is omitted in so many of these how to guides and for this reason I’ve added the references below. If for no other reason than to allow me to refer back to in the future.
You must be logged in to post a comment.