Category Archives: SIEM

Part 2: From Threat Intel to Alert – Deploying Sigma Rules in an Elastic SOC

This final part outlines a practical guide for integrating Sigma into an Elastic Security Operations Center (SOC) workflow, focusing on the Rhysida Ransomware. It details a step-by-step implementation process, including identifying adversarial tactics, writing and translating Sigma rules, and deploying detection systems, enhancing detection agility within the SOC environment.

Part 1: Sigma – The Universal Language of Threat Detection (History, Reasons, and Benefits)

The modern Security Operations Center (SOC) faces challenges due to fragmented security tools requiring different query languages, leading to slow threat intelligence adoption. Sigma offers a standardized, open-source solution that abstracts detection logic, enabling efficient, multi-platform query generation. This framework allows security teams to focus on strategy rather than syntax, enhancing defense capabilities.

Stop Chasing Ghosts in Your SIEM: Let GEKO Hunt Threats for You

GEKO is an open-source tool that automates threat-hunting by connecting threat intelligence from OpenCTI with detection rules in Elasticsearch. It analyzes threat actors’ techniques, inventory detection rules, and generates a report card on defense effectiveness, enabling security analysts to focus on relevant threats instead of unnecessary rules, enhancing their detection capabilities.

GEKO Part 3: Gitlab + Elasticsearch + Kibana! 

This content introduces the integration of Elasticsearch and Kibana in the GEKO stack, supporting Detection as Code. Steps include starting these services, managing detection rules through GitLab, and visualizing data. The guide emphasizes automation, validation, and creating dashboards for security management, encapsulating a modern approach to security engineering.

Arkime Network Analysis & Packet Capture tool (deploying a local demonstration instance)

Arkime is an open-source tool for network traffic capture and analysis, streamlining packet capture with detailed searches and integration with security tools. This blog guides on installing Arkime on Ubuntu using ElasticSearch as the backend. It covers setup and configuration steps, culminating in accessing the Arkime viewer for network insights.