rcegan
@rcegann
Microsoft Sentinel Practice Lead @ MSSP. Defender, Detection Engineering, Threat Emulation. Blog-haver. Hack the planet.
In keeping with the tenets of Elastic's detection engineering maturity model, I am going to spin up a DaC lab and see how we go. The native Sentinel 'Repositories' feature is a little underbaked, and I need to support multiple SIEM platforms, so should be good fun. 😎
I like detection as code in theory but the management overhead that comes with maintaining a huge repo of example logs and constantly running CI/CD unit tests, writing scripts to convert detections into their SIEM-native format, pushing them via API.. I don't get it for most…
Cajoling cloud CI/CD pipelines and fudged together shell scripts might as well be one of the circles of hell
Detection as Code update: * I have a YAML to ARM script (I'm working in Sentinel) turning the psuedo code into an analytics rule * I have a script for deploying ARM templates into different (or multiple) Sentinel instances * A basic CI/CD pipeline Just need to put it all…
Today's a rare moment where I'm thankful the majority of orgs I know have migrated to M365 and SharePoint Online 👀
If anyone has designed Detection as Code repos and pipelines with CI/CD pushing content to *many* SIEM instances simultaneously, I'd love to talk! Designing something similar and I want to compare notes.
Reminder to attend your local #bsides! TIL about MITRE Engage. Feeling the deception itch...
After 6 years in the industry and multiple years fiddling with ci/cd pipelines, the day has come for me to finally perform a 3-way git merge
As a detection engineer, detection objectively sucks compared to prevention ;) Stop the baddies first, and keep the SOC alerts low :))
This is also because a threat actor is quite likely to be operating from a device not under your management, so your tools aren't deployed to it, or they are using a vector not covered by security tools like social engineering. This is what makes device compliance such a strong…
Anyone ever setup the 'Repositories' feature in Microsoft Sentinel and had it work across multiple tenants? 👀
I love spending hours and hours re-writing my Sentinel 'TI map' queries to use the new sentinel Threat Intel table 🙃
I like detection as code in theory but the management overhead that comes with maintaining a huge repo of example logs and constantly running CI/CD unit tests, writing scripts to convert detections into their SIEM-native format, pushing them via API.. I don't get it for most…
Threat Intel is collecting 70+ links to read, not reading any of them for months, then speedreading every article in one go. Then the process resets
Being an MSSP is painful sometimes... every solution is at least 10x more complicated, and another additional 10x when you're working across multiple platforms 🙃
do I actually have to remove every single hash in this Defender tenant to stop 'CustomEnterpriseBlock' from triggering?? I've scraped the alerts triggering the detection repeatedly via Sentinel and 80% of the hashes aren't even in the block list 😓
Time for a new homelab server! Going with a Minisforum BD795i with a Ryzen 9 7945HX to supercede my current server with a 3900X 👀 16C/32T in an ITX chassis, 96GB of RAM... *slaps roof* this baby can fit so many LOGS in it
Nice change by the @kalilinux team aligning the tools menu to MITRE. :) Feeling nostalgic about Backtrack now, too..
