This final part outlines a practical guide for integrating Sigma into an Elastic Security Operations Center (SOC) workflow, focusing on the Rhysida Ransomware. It details a step-by-step implementation process, including identifying adversarial tactics, writing and translating Sigma rules, and deploying detection systems, enhancing detection agility within the SOC environment.
Tag Archives: Tech Blog
Part 1: Sigma – The Universal Language of Threat Detection (History, Reasons, and Benefits)
The modern Security Operations Center (SOC) faces challenges due to fragmented security tools requiring different query languages, leading to slow threat intelligence adoption. Sigma offers a standardized, open-source solution that abstracts detection logic, enabling efficient, multi-platform query generation. This framework allows security teams to focus on strategy rather than syntax, enhancing defense capabilities.
Is Your Phone Plotting Against You? A Deeper Dive Into the 2025 Mobile Threat Report
The 2025 Global Mobile Threat Report by Zimperium reveals significant threats to smartphone security, including an increase in smishing and risks from sideloaded apps. Work apps often share data internationally, exposing vulnerabilities. Many outdated phones lack critical updates, making them security liabilities. Users are advised to verify texts, use official app stores, and embrace updates for better protection.
Stay Classy, UNC6384: PRC-Nexus Espionage Campaign Targets Diplomats
In March 2025, Google’s Threat Intelligence Group revealed an espionage operation by PRC-nexus actor UNC6384, utilizing captive-portal hijacking to deliver malware. Key components included a fake Adobe plugin, DLL sideloading, and memory-resident payloads like PlugX. The campaign targeted Southeast Asian diplomats, illustrating advanced deception tactics. Defenders can leverage insights for remediation.
Arkime Network Analysis & Packet Capture tool (basic functionality overview)
The blog outlines the configuration and initial usage of Arkime on an Ubuntu VM, emphasizing the connection to an Elasticsearch database. It details the Arkime UI features, including session traffic viewing, histogram adjustments, geolocation mapping, and Session Profile Information analysis. Future posts will explore search functions and advanced traffic analysis.
N8N automation tool (installation and configuration using docker in Linux)
n8n is a powerful open-source workflow automation tool designed to help engineers streamline processes. This blog details the installation of n8n using Docker on an Ubuntu 24.04.2 LTS virtual machine. Step-by-step commands for setting up Docker and creating a demo account are provided, leading to the n8n dashboard for workflow creation.
China-Backed “PurpleHaze” Attacks on SentinelOne and the IT Supply Chain
In June 2025, it was revealed that China-backed groups APT15 and UNC5174 targeted SentinelOne and over 70 organizations in a cyber-espionage campaign named PurpleHaze, utilizing ShadowPad malware. Despite no compromise at SentinelOne, the threat is significant, necessitating robust detection and mitigation strategies from cybersecurity firms.
Detecting Microsoft 365 Phishing and Direct Send Abuse with Elastic
Elastic’s public detection rules enhance defenses against phishing and spoofing in Microsoft 365, particularly concerning Direct Send abuse. This feature allows unauthenticated email sending, posing risks. Elastic’s flexible detection engine facilitates the creation of rules to identify such threats, aligning with MITRE ATT&CK for comprehensive security monitoring and response strategies.
Stop Chasing Ghosts in Your SIEM: Let GEKO Hunt Threats for You
GEKO is an open-source tool that automates threat-hunting by connecting threat intelligence from OpenCTI with detection rules in Elasticsearch. It analyzes threat actors’ techniques, inventory detection rules, and generates a report card on defense effectiveness, enabling security analysts to focus on relevant threats instead of unnecessary rules, enhancing their detection capabilities.
Deploying the Elastic Stack in an Air-Gapped environment – Part 4 (Optional)
This post details the setup of Logstash for managing Elastic Agents through Fleet. It covers installation, certificate generation for secure communication, and configuring Fleet outputs. Additionally, it highlights scenarios where Logstash enhances data processing, routing, and control before reaching Elasticsearch, emphasizing its flexibility for Elastic Stack deployments.
You must be logged in to post a comment.